Pelmeni Wrapper

Cybersecurity analysts have unearthed a fresh Turla campaign showcasing innovative strategies and a modified variant of the Kazuar Trojan, distributed through an unfamiliar wrapper named Pelmeni.

Turla, a cyber espionage APT (Advanced Persistent Threat) group linked to the Russian FSB, is renowned for its meticulous targeting and unwavering operational pace. Since 2004, Turla has zeroed in on governmental bodies, research establishments, diplomatic missions, and sectors like energy, telecommunications and pharmaceuticals on a global scale.

The examined campaign underscores Turla's penchant for precise strikes. Initial infiltration likely occurs through prior infections, succeeded by the deployment of a threatening DLL camouflaged within seemingly authentic libraries from legitimate services or products. The Pelmeni Wrapper initiates the loading of the subsequent harmful payload.

Initial Stages of the Infection Chain

The highly targeted nature of the attack may suggest a deliberate placement of malware onto the victim's computer following a prior infection. To conceal the malicious software, the perpetrators employ the Sideload DLL technique, masquerading as legitimate libraries associated with 'SkyTel,' 'NVIDIA GeForce Experience,' 'vncutil,' or 'ASUS.' Upon execution of the genuine application, the malicious DLL (Pelmeni Wrapper) is loaded, allowing the infection to proceed.

The malware utilizes a hash derived from the victim's 'ComputerName' XORed with a constant. This hash serves as a seed in the pseudorandom number generator algorithm ranqd1, generating values used for decrypting function names.

A thread spawned by Pelmeni Wrapper decrypts a .NET assembly and executes it from memory. Concurrently, Pelmeni monitors the .NET operation in the background, verifying connectivity by pinging Google. This targeted attack is designed to terminate if executed on a different machine, hindering the intended infection process.

Researchers note that the algorithm employed for decrypting the payload is identical to that used for decrypting the exports, rendering it susceptible to brute-force attacks.

The Pelmeni Wrapper Executes Several Invasive Functions

The Pelmeni Wrapper showcases the subsequent functionalities:

• Operational Logging: Generates a concealed log file with randomized names and extensions to monitor campaign activities discreetly.
•   Payload Delivery: Utilizes a bespoke decryption mechanism employing a pseudorandom number generator to facilitate loading and executing functions.
•   Execution Flow Redirection: Manipulates process threads and introduces code injections to redirect execution to a decrypted .NET assembly housing the primary malware.

Pelmeni Wrapper Deploys a Variant of Turla’s Kazuar Malware

The final stage of Turla's intricate attack chain unfolds with the activation of Kazuar, a versatile Trojan horse that has been a staple in Turla's arsenal since its unearthing in 2017. In contrast to prior iterations, this iteration of the backdoor exhibits two notable distinctions:

• Adoption of a new protocol for data exfiltration.
•  Utilization of a different directory for logging.

Previously, it was widely known that Kazuar supported five protocols for exfiltrating data. However, this latest version introduces the capability to exfiltrate data using sockets. Consequently, researchers speculate that other variants of this threat may also incorporate additional protocols.

Additionally, this sample deviates from earlier reports in terms of the directory used for logging. Nevertheless, this discrepancy is considered minor and may be observed in other Kazuar samples as well.

The observed subtle yet consequential advancements in Kazuar's deployment highlight that Turla is continuing to modify, evolve, and expand its already considerable arsenal of malware threats. The group will likely continue to be a major player on the cybercrime scene, with its attack operations closely aligned with Russia's interests.