Turla APT arranges new attacks against high-profile entities since January 2020
Security company ESET has shared their knowledge about a recently renewed attacks of the Turla Advanced Persistent Threat (APT) against high-profile institutions. According to the company, the gang has invested much effort to revive the infamous ComRAT backdoor, which has started its “career” Agent.BTZ back in 2008 when the virus breached the US military and the incident was condemned by Pentagon officials as “the most significant breach of U.S. military computers ever.”
Turla APT is dubbed as an elite cyber-espionage state-backed Russian group of hackers, which has a long list of incidents it is linked to throughout over ten years of existence. These guys are also called Snake, Group 88, Iron Hunter, Venomous Bear, or Chinch. The group is not oriented to individuals, but rather launch targetted attacks against governmental institutions. Kaspersky LABs used to describe this threat as follows:
It is a complex cyberattack platform focused predominantly on diplomatic and government-related targets, particularly in the Middle East, Central and Far East Asia, Europe, North and South America, and former Soviet bloc nations.
The new Turla’s campaign was first spotted in January 2020 when ESET revealed a renewed strain of the ComRAT targeting three high-profile institutions, i.e. a national parliament in the Caucasus and two Ministries of Foreign Affairs in Eastern Europe.
A renewed variant of ComRAT uses Gmail web UI to remain undetected and exfiltrate data
The history of the ComRAT as a Remote Access Trojan (RAT) stretches back to 2008 when, as pointed before, it manages to exfiltrate data from the U.S military and affected PCs used by the Central Commands in Iraq and Afganistan combat zones. This variant of ComRAT has been distributed via removable drives and exhibited traits that a regular trojan exhibits, i.e. infiltrate Windows OS via security loopholes, launch the payload, create persistence, and subsequently connect to remote C2 server for regular data transmission.
However, in comparison to the previous ComRAT variants, the 2020 update is incomparable more sophisticated. Based on the deep analysis of this threat, it turns out that it has been in an active development/update phase since 2017. Despite being built on the identical code, the ComRAT v4 has been supplemented with several new traits for a more successful data stealing and self-protection endurance.
First of all, ComRAT v4 uses a PowerStallion PowerShell backdoor commands to access the targetted machine. Upon the success of infiltration, it establishes a connection between the Command and Control server in two ways, i.e. HTTP protocol just like its ancestors and the Gmail web interface allowing the RAT to gain commands and exfiltrate data.
Its most interesting feature is the use of the Gmail web UI to receive commands and exfiltrate data. Thus, it is able to bypass some security controls because it doesn’t rely on any malicious domain.
Such changes allow cybersecurity researchers presume that the ComRAT v4 is a very potential cyber threat that can be the worst nightmare of the governmental institutions.
The ComRAT harvests antivirus logs
According to ESET, Turla managers are putting much effort to bypass security software. When the RAT gets installed, it is programmed to search for security-related log files to draw the view if the malware is easily detected by AV engines or not.
This shows the level of sophistication of this group and its intention to stay on the same machines for a long time.
Additionally, it seeks to obtain as many technical details about the host machine as possible. For instance, it keeps recording Active Directory groups and users, the network details, Microsoft Windows configurations (group policies), and more.
As researchers point out, the Turla group and its novel ComRAT spyware are on its peak of activity. Earlier this week Kaspersky Lab has submitted a whitepaper last week warning the cyber community about a renewed COMPfun RAT, which basically stems from the same Turla group and is geologically related to the ComRAT.
Thus, experts of security systems are expected to strengthen the forces against this backdoor trojan to prevent its attacks on high-profile entities and organizations. It seems that the APT group may have plans to duplicate the malware on a big scale.