Crutch Malware

The Crutch Malware is a recently discovered backdoor malware tool that has been part of the operations of the infamous Turla APT (Advanced Persistent Threat) group. According to the infosec researchers who analyzed the threat, Crutch has been in exploitation from 2015 to at least early 2020. The threat has been discovered lurking inside the computer systems of a Ministry of Foreign Affairs of a country that is part of the European Union. Exactly like the majority of the malware tools in Turla's arsenal, Crutch appears to be a custom-made malware threat that is deployed only against select targets.

Although it has not been proven, Crutch carries the signs of a post-compromise malware threat. This means that it is delivered onto the target after the initial compromise vector has been successfully established. One potential scenario that has been observed is the deployment of Crutch months after the targeted system was infected with a first-stage implant named SKipper. Another method involves the use of the PowerShell Empire framework.

The main goal of Crutch Malware is to carry out espionage activities by harvesting sensitive documents from the infected machines, compressing them, and exfiltrating the files to Turla. During its life-cycle, Crutch Malware saw its capabilities and operational routines go through severe changes with several different versions of the threat being created by the hackers. For example, in the initial versions, Crutch had to receive specific commands from Turla operatives before executing any of its threatening activities. Persistence was achieved through DLL hijacking on Chrome, Firefox, or OneDrive. During this period, Cruch included a second binary that was responsible for monitoring any removable media for filetypes representing particular interest for the hackers, including MS Word documents, PDFs, RTFs, etc.

In version 4 of the threat, or what researchers believe to be the fourth version, Crutch lost its ability to execute any backdoor commands. Instead, the threat's activities were automated entirely. It could now independently exfiltrate files of interest found on local and removable drives by exploiting the Windows version of the Wget utility.

One aspect that has consistently remained part of the Crutch Malware is the destination of the stolen files. Through the different versions, all harvested data has been delivered to Dropbox storage accounts under the control of the Turla hackers. The use of legitimate services, Dropbox, in this case, helps the hackers to more easily avoid detection by blending the abnormal traffic created by their tools among the usual network activities of the victim.