The Turla APT (Advanced Persistent Threat), is an infamous Russian hacking group, which has been operating for over a decade now. They are also called Uroburos APT or Snake APT. They are known for having a taste for high-end victims. It was reported that the Turla APT had infiltrated Germany's Federal College of Public Administration and then, through it, managed to compromise The Federal Foreign Office of the country. Furthermore, this was not a one-time penetration; it has been disclosed that the Turla APT went under the radar of the German authorities for nearly the whole of 2017. During this time, the hacking group was siphoning and collecting government data. This impressive operation was carried out with an APT's tool called the Turla Backdoor.
Three European countries have reported attacks from this Russian hacking group. The targets were once again their foreign offices. It is safe to assume that the Turla APT is involved in espionage heavily since their main targets have always been diplomats, military and state authorities and politicians. It is suspected that the Turla APT may be linked to the Russian government, but this information is yet to be confirmed.
The Turla APT's backdoor is believed to originate back in 2009. However, the hacking group has not been idle over the years and have introduced many improvements to their backdoor such as the ability of the threat to receive commands via a PDF file attached to an email, which was introduced back in 2016. In 2018 a new feature was added to the Turla APT's backdoor – it had been upgraded with the ability to execute PowerShell commands on the infected host.
This most recent version of this backdoor is equipped with the ability to infiltrate Microsoft Outlook. Interestingly enough, the Turla APT does not use a vulnerability in the application, but instead, manipulates the legitimate MAPI (Messaging Application Programming Interface) of Microsoft Outlook and through it gain access to the direct messages of their intended targets. Unlike most backdoors, which usually receive commands through a Command and Control server of the perpetrators, the Turla Backdoor is controlled through specially crafted emails thanks to the improvement that the Turla APT introduced in 2016. The Turla Backdoor is able to perform many commands, among which are collecting data and downloading and executing various files. This backdoor is not too picky when it comes to where it gets planted – the Turla Backdoor is in the form of DLL module (Dynamic Link Library) and capable of running from anywhere within the hard drive. Furthermore, the Turla APT employs a Windows utility (RegSvr32.exe) to install its backdoor on the targeted system.
Of course, as every highly-efficient threat of this caliber, the Turla Backdoor also is equipped with great persistence. To minimize the chances of being detected, the Turla Backdoor will not carry out its 'duties' all the time. Instead, it uses a well-known Windows vulnerability regarding the Component Object Model (COM.) By exploiting this vulnerability, the backdoor is able to inject its instances in the legitimate 'outlook.exe' process, therefore eliminating the need to use a DLL injection – an attack vector that anti-virus products detect with ease.
By infiltrating Microsoft Outlook, the Turla Backdoor is able to collect the metadata on their victim's messaging activity – email subject, name of the attachment, senders and recipients. This data is collected and stored by the Turla Backdoor and is transferred to the attacker's servers periodically. A threat like the Turla Backdoor could cause a lot of damage, especially if the attackers manage to infect a system used to store sensitive data or communication and it is evident that the Turla APT targets exactly these users.
Apart from data theft, the malware can be commanded to download additional files or execute corrupted PowerShell scripts. In conclusion, the Turla Backdoor is a threat that comes close to a rootkit in its functionality.