Turla backdoor leverages email PDF attachments as C&C mechanism [source: securityaffairs]
by CIRT Team
Malware researchers from ESET have published a detailed report on the latest variant of the Turla backdoor that leverages email PDF attachments as C&C.
Malware researchers from ESET have conducted a new analysis of a backdoor used by the Russia-linked APT Turla in targeted espionage operations.
The new analysis revealed a list of high-profile victims that was previously unknown.
Turla is the name of a Russian cyber espionage APT group (also known as Waterbug, Venomous Bear and KRYPTON) that has been active since at least 2007 targeting government organizations and private businesses.
The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.
The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla.
The new analysis conducted by ESET revealed that hackers breached Germany’s Federal Foreign Office, Turla infected several computers and used the backdoor to syphon data for almost the whole of 2017.
The cyberspies first compromised the network of the country’s Federal College of Public Administration, then breached into the network of the Foreign Office in March 2017, the hack was discovered by German authorities at the end of the year and publicly disclosed in March 2018. ESET explained that the most important aspect of the new analysis is the discovery of a covert access channel used by Turla to hit foreign offices of another two European countries.
“Importantly, our own investigation has determined that, beyond this much-publicized security breach, the group has leveraged the same backdoor to open a covert access channel to the foreign offices of another two European countries, as well as to the network of a major defense contractor.” reads the analysis published by ESET.
For more, click here.