Turla APT
Turla, also known as Pensive Ursa, Uroburos, and Snake, represents a sophisticated Advanced Persistent Threat (APT) originating from Russia, with a history dating back to at least 2004 and purported ties to the Russian Federal Security Service (FSB). Renowned for its targeted intrusions and cutting-edge stealth tactics, Turla has earned a reputation as a formidable and elusive adversary, showcasing exceptional technical prowess in orchestrating covert and stealthy cyber assaults.
Over the years, Turla has extended its reach across more than 45 countries, infiltrating a diverse array of sectors such as government agencies, diplomatic missions, military establishments, as well as educational, research and pharmaceutical institutions. Additionally, the group has been implicated in activities related to the Russian-Ukraine conflict that erupted in February 2022, as per reports from the Ukraine CERT, indicating espionage operations directed at Ukrainian defense interests.
Although Turla predominantly focused its espionage efforts on Windows-based systems, it has demonstrated capabilities to target macOS and Linux platforms. Through relentless development, Turla has amassed a formidable arsenal of malware tools, including but not limited to Capibar, Kazuar, Snake, Kopiluwak, QUIETCANARY/Tunnus, Crutch, ComRAT, Carbon and HyperStackand TinyTurla, which have been actively employed in various threatening campaigns.
Table of Contents
Turla Begins Targeting Linux Systems
By 2014, Turla had already been operating in the cyber landscape for several years, yet the method of its infection remained a mystery. Research conducted in the same year shed light on a sophisticated multi-stage attack dubbed Epic Turla, unveiling Turla's utilization of the Epic malware family. This campaign exploited vulnerabilities CVE-2013-5065 and CVE-2013-3346, leveraging spear-phishing emails armed with Adobe PDF exploits alongside watering-hole techniques employing Java exploits (CVE-2012-1723).
A notable aspect of this campaign was Turla's deployment of advanced backdoors such as Carbon/Cobra, occasionally utilizing both as a failover mechanism.
Prior Turla operations predominantly targeted Windows systems, but in August 2014, the landscape shifted as Turla ventured into Linux territory for the first time. Known as Penguin Turla, this initiative saw the group employing a Linux Turla module featuring a C/C++ executable statically linked against multiple libraries, significantly increasing its file size for this particular operation.
Turla Introduces New Malware Threats in Its Attack Operations
In 2016, a group known as Waterbug, purportedly a state-sponsored entity, employed variants of Trojan.Turla and Trojan.Wipbot to exploit a zero-day vulnerability, specifically targeting the Windows Kernel NDProxy.sys local privilege escalation vulnerability (CVE-2013-5065). According to research findings, the attackers utilized meticulously crafted emails containing unsafe attachments alongside a network of compromised websites to deliver their nefarious payloads.
The following year, researchers uncovered an advanced iteration of the Turla malware - a second-stage backdoor identified as Carbon. Initiation of a Carbon attack typically involves the victim either receiving a spear-phishing email or stumbling upon a compromised website, colloquially known as a watering hole.
Subsequently, a first-stage backdoor like Tavdig or Skipper is installed. Upon completion of reconnaissance activities, the Carbon framework orchestrates the installation of its second-stage backdoor on critical systems. This framework comprises a dropper responsible for installing its configuration file, a communication component to interact with the Command and Control (C&C) server, an orchestrator for managing tasks and lateral movement within the network, and a loader for executing the orchestrator.
Turla’s Kazuar Backdoor Enters the Scene
In May 2017, cybersecurity researchers linked a newly discovered backdoor Trojan, Kazuar, to the Turla group. Developed using the Microsoft .NET Framework, Kazuar boasts highly functional command sets capable of remotely loading additional plug-ins.
Kazuar operates by gathering system and malware file name information, establishing a mutex to ensure singular execution and adding an LNK file to the Windows startup folder.
The command sets within Kazuar exhibit resemblances to those found in other backdoor Trojans. For instance, the tasklist command utilizes a Windows Management Instrumentation (WMI) query to retrieve running processes from Windows, while the info command collects data on open windows. Moreover, Kazuar's cmd command executes commands using cmd.exe for Windows systems and /bin/bash for Unix systems, indicating its design as a cross-platform malware targeting both Windows and Unix environments.
Further research in early 2021 unveiled notable parallels between the Sunburst and Kazuar backdoors.
More Turla Attack Campaigns Taking Place in 2017
Turla introduced a fresh second-stage backdoor called Gazer, coded in C++, leveraging watering-hole attacks and spear-phishing campaigns to target victims precisely.
In addition to its enhanced stealth capabilities, Gazer exhibited numerous resemblances to previously employed second-stage backdoors like Carbon and Kazuar. A notable feature of this campaign was the integration of 'video-game-related' sentences within the code. Turla secured Gazer's Command and Control (C&C) server by encrypting it with its proprietary library for 3DES and RSA encryption.
Turla Incorporates Threats and Infrastructure from Other Cybercrime Groups
In 2018, an intelligence report indicated that Turla employed newly developed harmful tools, Neuron and Nautilus, alongside the Snake Rootkit, to target Windows machines, with a particular focus on mail and Web servers. Turla utilized compromised Snake victims to scan for ASPX shells, transmitting commands via encrypted HTTP cookie values. Turla leveraged ASPX shells to establish initial access to target systems for the deployment of additional tools.
Once again in 2018, Turla set its sights on the foreign offices of European governments, aiming to infiltrate highly sensitive information through a backdoor. This campaign targeted Microsoft Outlook and The Bat!, a widely used mail client in Eastern Europe, redirecting all outgoing emails to the attackers. The backdoor utilized email messages to extract data, employing specially crafted PDF documents and utilizing email messages as a conduit for its Command and Control (C&C) server.
In 2019, Turla operators exploited the infrastructure of OilRig, an APT group associated with Iran known for targeting government entities and organizations in the Middle East, to conduct their own attack operations. This campaign involved the deployment of a heavily modified, custom variant of the Mimikatz tool alongside a new array of tools featuring several fresh backdoors. In the later phases of the campaign, the Turla group utilized a distinct Remote Procedure Call (RPC) backdoor, incorporating code from the publicly accessible PowerShell Runner tool to execute PowerShell scripts without relying on powershell.exe.
New Backdoor Threats Released Throughout 2020
In March 2020, security analysts observed Turla employing watering-hole attacks to target numerous Armenian websites. These websites were injected with corrupted JavaScript code, although the precise methods of access utilized in the attacks remain undisclosed.
Subsequently, the compromised web pages distributed second-stage compromised JavaScript code to identify victim browsers and coax them into installing a bad Flash installer. Turla then leveraged NetFlash, a .NET downloader, and PyFlash for its secondary malware deployment.
A few months later, Turla employed ComRAT v4, alias Agent.BTZ, as a Remote Access Trojan (RAT). This malware, crafted using C++, features a virtual FAT16 file system frequently utilized for exfiltrating sensitive documents. It is disseminated through established access routes such as the PowerStallion PowerShell backdoor while employing HTTP and email as Command and Control (C&C) channels.
Towards the end of 2020, cybersecurity experts stumbled upon an undocumented backdoor and document extractor named Crutch, attributed to the Turla group. Earlier versions of Crutch included a backdoor communicating with a pre-determined Dropbox account via the official HTTP API.
This backdoor possessed capabilities to execute commands related to file manipulation, process execution, and establishing persistence through DLL hijacking on Google Chrome, Mozilla Firefox or Microsoft OneDrive. Notably, Crutch v4 boasts an automated feature to upload local and removable drive files to Dropbox storage, facilitated by the Windows version of the Wget utility, unlike previous iterations reliant on backdoor commands.
The Turla APT Group Unleashes the TinyTurla Malware and Starts Targeting Assets in Ukraine
The emergence of the TinyTurla backdoor came to attention in 2021. This threat likely serves as a contingency plan, enabling sustained access to systems even in the event of primary malware removal. Installation of this backdoor is facilitated through a batch file and manifests as a service DLL named w64time.dll, aiming to mimic the legitimate w32time.dll file on Windows platforms.
Amidst the Russian invasion of Ukraine, the Turla APT redirected its focus towards targets aligned with Russia's interests in the conflict. An announcement from the Computer Emergency Response Team of Ukraine (CERT-UA) in July 2023 disclosed Turla's utilization of the Capibar malware and Kazuar backdoor for espionage activities targeting Ukrainian defense assets. In this operation, Capibar was employed for intelligence gathering while Kazuar specialized in credential theft. The attack predominantly targeted diplomatic and military entities through phishing campaigns.
The Emergence of TinyTurla-NG and Pelmeni Wrapper
Toward the end of 2023, the Turla threat actor was observed employing a new backdoor named TinyTurla-NG in a campaign spanning three months. The attack operation specifically targeted non-governmental organizations in Poland. Similar to its predecessor, TinyTurla-NG functions as a compact 'last resort' backdoor. It is strategically deployed to remain dormant until all other unauthorized access or backdoor mechanisms on the compromised systems have either failed or been discovered.
In February 2024, cybersecurity analysts unearthed a fresh Turla campaign showcasing innovative strategies and a modified variant of the Kazuar Trojan. In this particular attack operation, the Kazuar threat was distributed to the targeted victims through a previously undocumented wrapper named Pelmeni.
The Turla APT Remains a Major Cyberthreat Despite Years of Detailed Attack Operations
The Turla group stands as a persistent and enduring adversary, boasting a lengthy track record of activities. Their origins, tactics, and choice of targets suggest a well-resourced operation led by adept operatives. Over the years, Turla has consistently enhanced its tools and methodologies, indicating a commitment to continuous refinement.
The menace posed by groups like Turla underscores the imperative for organizations and governments to maintain vigilance. This entails staying abreast of developments, exchanging intelligence, and implementing robust security measures. Such proactive steps enable both groups and individuals to bolster their defenses against the threats posed by such actors.
