Turla group improves its tools in persistence and stealth, ESET discovers

Next story

ESET researchers analyze new PowerShell-based tools used by Turla, an infamous APT group, that improve persistence and stealth. Turla, also known as Snake, recently started using PowerShell scripts that provide direct, in-memory loading and execution of malware executables and libraries. Thanks to these PowerShell-based tools, Turla can bypass those detection techniques that are triggered when a malicious executable is dropped on a disk.

Turla is an infamous espionage group recognized for its complex malware. It is believed to have been operating since at least 2008, when it successfully breached the US military. It has also been involved in major attacks against many government entities in Europe and the Middle East – among them the German Foreign Office and the French military.

Recently, ESET researchers detected several attacks against diplomatic entities in Eastern Europe using PowerShell scripts. “It is likely the same scripts are used globally against other traditional Turla targets,” says Matthieu Faou, ESET researcher who conducted the investigation. 

ESET researchers have published a blogpost with the results of their analysis of Turla’s PowerShell scripts to help defenders counter them. “Along with Turla’s new PowerShell loader, we’ve discovered and analyzed several interesting payloads, including an RPC-based backdoor and a PowerShell backdoor leveraging Microsoft’s cloud storage service, OneDrive, as its Command and Control server,” says Faou.

The PowerShell loaders, detected by ESET under the umbrella name PowerShell/Turla, differ from simple droppers in their ability to persist on the system as they regularly load into memory only the embedded executables. In some samples, Turla developers modified their PowerShell scripts in order to bypass the Antimalware Scan Interface (AMSI). This technique, which was  first disclosed at the Black Hat Asia 2018 conference, leads to the antimalware product being unable to receive data from the AMSI interface for scanning.

“However, these techniques do not prevent the detection of the actual malicious payloads in memory.” explains Matthieu Faou.

Among the payloads recently used by Turla, two stand out. One is a whole set of backdoors relying on the RPC protocol. These backdoors are used to perform lateral movement and take control of other machines in the local network without relying on an external C&C server.  Also, of interest is PowerStallion, a lightweight PowerShell backdoor using the above-mentioned Microsoft cloud storage service, OneDrive, as a Command & Control server.

“We believe this backdoor is a recovery access tool in case the main Turla backdoors are removed and operators can no longer access the compromised computers,” comments Matthieu Faou.

ESET researchers are committed to closely following the Turla APT group and other key threat actors, and to monitoring their techniques, tactics and procedures to help defenders protect the networks they are responsible for.

More details can be read in the blogpost published on WeLiveSecurity.com
---------------------------------------------------------------------------------------------------------------------

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET has become the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit us on www.eset.com/gr-en or follow us on LinkedInFacebook and Twitter.