Turla – high sophistication Russian-nexus threat group

Feb 4, 2021

Introduction

Believed active since 2004, if not much earlier, Turla is a high sophistication Russian-nexus threat group with espionage and intelligence gathering motivations targeting organizations worldwide. We have written about them in the past here.

Known by many security vendor assigned names over the years including Turla Team, Uroburos and Venomous Bear, this bulletin provides an overview of Turla-attributed threats as observed over the past six months.

Traditionally targeting governments and the military-industrial complex (MIC), Turla has expanded its operations over the years with victims now operating across multiple sectors including high-tech, pharmaceuticals and retail. Furthermore, victims appear to be located almost anywhere in the world rather than just targeting organizations in countries considered traditionally adversarial to Russian interests.

As is often the case with nation-state threats, Turla typically employs similar tactics, techniques and procedures (TTP) across their campaigns such as the use of watering hole attacks, also known as supply-chain compromise, and spear-phishing lures to gain initial access to a victim network followed by the deployment of bespoke malware that communicates with tiered command and control (C2) infrastructure.

After an initial compromise, Turla typically delivers additional tools that are used to move laterally within the target organization and include the use of modular malware that allows attacks to be tailored to the specific victims.

Sunburst

In a malicious campaign hitting the headlines in December 2020 and January 2021, albeit potentially commencing as early as March 2020, a supply chain attack saw the introduction of a backdoor into SolarWinds Orion products leading to the compromise of numerous SolarWinds customers including Cisco, FireEye, Microsoft and SolarWinds themselves.

Dubbed ‘Sunburst’ and initially attributed to the threat actor identifiers ‘Dark Halo’, ‘Solorigate’, ‘StellarParticle’ and ‘UNC2452’, this well orchestrated attack used digitally-signed dynamic link libraries (DLL) with embedded backdoor code that was delivered to victims via the SolarWinds software update process and provided the threat actors with remote access.

Whilst not fully attributed to Turla, third-party analysis [1] of the ‘Sunburst’ backdoor suggests that there are notable links between it and Kazuar, a .NET backdoor widely linked to Turla Group.

Although it is not uncommon for threats to build upon the work of others, the similarities between Sunburst and Kazuar appear to be more closely aligned such as their ‘sleep time’ algorithm, non-cryptographic FNV-1a hashing algorithm and the method used to construct victim identifiers.

Whilst attribution remains a difficult task, these observations align with US law enforcement statements suggesting that the SolarWinds incident was likely orchestrated by a sophisticated Russian-nexus threat actor and therefore potentially Turla.

For reference, further information on the SolarWinds incident and the resulting fallout can be obtained from the following CyberInt blog posts:

SolarWinds Supply Chain Attack (December 21, 2020) [2]
SolarWinds Orion API LFI (January 5, 2021) [3]
SolarLeaks (January 26, 2021) [4]

Kazaur

Of the various malware threats used by Turla, the Kazuar remote access trojan (RAT) appears to be their go-to threat. First analyzed by Palo Alto’s Unit 42 in 2017, Kazuar is believed to have a code lineage that can be traced back to at least 2005, a time that is somewhat consistent with the group’s suspected time of formation.

Built using the Microsoft .NET Framework and predominately targeting Windows-based systems, previous analysis of the code has identified ‘*nix’ command references and it is therefore suggested that the RAT could be used to target victims across platforms including Apple MacOS and Linux.

Consistent with Turla’s reutilization of tactics, techniques and procedures (TTP) throughout their campaigns, those involving the delivery of Kazuar have typically commenced with either a watering hole or spear-phishing attack as the initial delivery vector.

After the initial compromise, an information collection process is thought to gather victim details as well as ensuring that only one instance of the Kazuar RAT is executed. Subsequently, the Kazuar payload is deployed along with its configuration and, due to its modular configuration, any required or victim specific plugins .

Following an initial beacon to command and control (C2) infrastructure, XML ‘tasks’ are sent to the victim host and correspond to common RAT features such as :

Information gathering, including screen and webcam capture;
File manipulation, including the ability to upload and download;
Remote command execution and process interaction;

Additionally, these tasks allow remote management of the RAT, such as the ability to upgrade or change its configuration, as well as providing the ability to install or remove functionality through the use of plugins.

Furthermore, as a fall-back channel, Kazuar can be instructed to listen for inbound HTTP requests containing tasks, effectively reversing the communication channel and negating the need for outbound C2 activity. In addition to potentially evading detection, this feature allows the threat actor to configure a compromised system as a staging point for data exfiltration from other compromised hosts.

Demonstrating the importance and continued relevance of Kazuar to the Turla group, November 2020 saw the refactoring of Kazuar’s code to likely improve its ability to evade security solutions as well as some changes to its capabilities.

Notably, the ability to capture images from a victim’s webcam have reportedly been removed, likely due to this having a limited benefit, whilst a keylogging and password stealing capability has been added alongside improved system information gathering.

The ability to log a victim’s keypresses and steal saved passwords is a common cybercriminal RAT capability and will undoubtedly prove useful to Turla when attempting to gain additional access to systems, elevate their current privileges and move laterally across a victim network.

Furthermore, a script capability has reportedly been added which would allow JavaScript (JS), PowerShell (PS), Visual Basic Script (VBS) and Windows Management Interface (WMI) commands to be executed and would therefore somewhat limitless capabilities to interact with a victim host.

Crutch

Attributed to Turla by researchers at ESET [5], Crutch is a toolset reportedly in use by Turla since 2015 and was observed in espionage attacks against a European government ministry in 2020.

Likely deployed as a second-stage threat to a victim host by some other payload, Crutch gains persistence through the use of dynamic link library (DLL) hijacking such as observed alongside the delivery and abuse of a legitimate Microsoft Outlook ‘item finder’ executable (finder.exe) and DLL (resources.dll).

Having gained persistence, Crutch identifies ‘files of interest’ from the local filesystem and any removeable drives which are then compressed using the RAR archiver to a set of exfiltration staging files. Subsequently, Crutch makes use of ‘Wget’ to upload this stolen data to the cloud-storage service Dropbox, likely in an attempt to appear somewhat inconspicuous rather than generating traffic to some unknown or low-reputation command and control (C2) infrastructure.

Given the requirement for both the RAR archiver and Wget utilities, legitimate versions of these have been observed as delivered alongside the Crutch threat and the supporting Outlook files used for persistence.

Whilst earlier versions of this threat were observed as receiving C2 commands via fake RAR archives downloaded from the Dropbox account used for data exfiltration, this capability was reportedly removed from the most recently observed sample, dubbed version 4 by ESET, potentially in an attempt to evade detection through analysis of a compromised host’s network activity.

SilentMoon

Observed in, or around, October 2020 as targeting a European government organization, SilentMoon, also known as ‘GoldenSky’ and ‘HyperStack’, was reportedly first observed in 2018 and is described as a custom Remote Procedure Call (RPC) backdoor utilized by Turla alongside other threats including Kazuar.

Unlike traditional backdoor threats, requiring command and control (C2) instructions to be sent directly to victim hosts, SilentMoon allows a single ‘controller’ on a victim network to effectively become a ‘bridgehead’ and send commands to other SilentMoon ‘clients’ via named pipes [6], those being a native Windows method for passing information from one process to another.

Additionally, SilentMoon attempts to move laterally within a victim network by to connect to other Windows hosts using either default credentials or a null session connection [7], ‘IPC$’ share, and, if successful, likely copies itself to the remote host.

Anecdotal reports also suggest that SilentMoon includes a clean-up module that specifically searches for log files prepended with -x in order to remove traces of yet another tool, albeit detail of this capability or the additional tool is limited.

Recommendations

Whilst Turla have predominantly targeted Governmental, and associated, organizations in the past, organizations across multiple sectors worldwide should at least consider the tactics, techniques and procedures (TTP) utilized by this nation-state sponsored threat group.

Although much of Turla’s attack toolkit is custom written and likely tailored to specific victims, their initial attack vectors remain somewhat consistent across observed campaigns.

As such, organization should consider the following to reduce their risk to both Turla and similarly motivated threat actors:

Employee security awareness training, taking into account topical themes used by threat actors, can help them identify and handle suspicious content such as email attachments.
Reinforce the message that files encouraging users to ‘Enable Editing’, ‘Enable Content’ or disable any other security setting are almost certainly malicious.
Use Group Policy to disable macros from running in Microsoft Office applications (legitimate macros should be digitally signed to allow for an exception to the disable rule).
Disable administrative tools and script interpreters, such as JavaScript, PowerShell and Visual Basic Script, to prevent misuse by malicious payloads.
Limit user permissions according to the principal of least privilege (POLP).
Enhance network security by employing latest intrusion detection and prevention systems (IDS/IPS), including the denial of access to known malicious, or suspicious, domains, hosts and IP addresses.
Segregate networks through the creation of separate logical segments based on assets that share a similar risk profile, limiting communications between each segment and each client to contain threats.