turla-group

In-depth analysis of the full picture of the Turla group’s attack

Recently, researchers have integrated and sorted out the historical attack events and intelligence data of the Turla group, and conducted in-depth analysis of the group’s weapon arsenal components. As a representative high-level threat group, Turla APT has always been the focus of researchers’ tracking.

Turla is an APT group with a background in the Russian government. The group is known for its complex malicious attack components and widespread attack targets. The group was exposed in 2008 for hacking the computer system of the US Central Command. In the following years, many security companies have disclosed many Turla-related attacks. Based on the use of attack components associated with Turla, it is estimated that the group’s earliest activity was around 2004.

Since the event, the victims of the attacks launched by the Turla group have involved more than 45 countries, and their targets include government agencies, embassies, international groups, the military, higher education institutions, scientific research institutions, pharmaceutical companies, and so on. The ultimate purpose of the attack is intelligence spying, stealing sensitive intelligence information of the target unit through a series of cyber espionage activities.

According to information disclosed by Estonian intelligence agencies, the Turla group is suspected to belong to the Russian Federal Security Service (FSB for short, responsible for counter-espionage work in the Russian Federation, and one of the supporting agencies behind APT29).

turla

Checkpoint security personnel combined with the intezer attribution engine to conduct correlation analysis on the malware used by the Russian-backed APT group, and intercept the correlations of the attack components of the Turla group as shown below.

turla

The portrait of Turla organized by the researchers is as follows:

Turla organizes a portrait of hackers

name Turla、Venomous Bear、Waterbug、Snake、Uroboros,WhiteBear。
timeline It was disclosed in 2008, and the attack was active after 2015, and the earliest activity can be traced back to 2004.
background He has a background of support from the Russian government and is suspected to belong to the Russian Federal Security Bureau (FSB).
Target of attack The target area of ​​the Turla group covers Europe, Asia, South America and other sectors, focusing on the Middle East, the European Union, and NATO member states, including Vietnam, Singapore, Bangladesh, Morocco, Kyrgyzstan, UAE, Austria, Switzerland, Germany, Romania, Turkmenistan More than 45 countries and regions including Stan, Tajikistan, Qatar, Greece, Britain, Somalia, Russia, Pakistan, the United States, Ukraine, South Korea, etc. Its target industries include government agencies, embassies, international groups, the military, higher education institutions, scientific research institutions, and pharmaceutical companies.
The purpose of the attack Network monitoring, intelligence theft
Attack method Web penetration intrusion, network hijacking, watering hole attack, spear attack, supply chain attack, RCE vulnerability, U disk social attack.
Harpoon load type Vulnerable documents, macro documents, disguised installation packages
Used vulnerabilities CVE-2007-5633  、CVE-2008-3431 、CVE-2009-1123 、CVE-2009-0824 、CVE-2010-0232 、CVE-2010-1592 、CVE-2012-1723 、CVE-2013-5065 、CVE-2013-3346 、CVE-2017-0261
Armory Trojan Including open source tools, leaked tools, self-developed special horses, etc., see the table below to sort out.
Three sentence description 1. Large-scale Web site infiltration, use the compromised site as a C2 server in subsequent attacks or host malicious code.

2. Identify the target PC machine, accurately place the attack load, penetrate the target network, and pay attention to continuous monitoring.

3. Advanced malicious code development capabilities and anti-tracking capabilities. After an attack event is leaked, the weapon library will be updated and fingerprint characteristics will be weakened.

The Turla group has used a wide range of attack components in historical attack activities, including backdoors with basic data collection and shell execution functions, advanced components with complete remote control functions and continuous monitoring, and leaked equation attack components. Multiple third-party components.

According to the functional complexity of each component and the stage that may be issued and activated in actual attack activities, the summary description is as follows.

Turla Armory Trojan List

Primary backdoor/loader/plugin
The Epic : Basic Backdoor
Skipper : Basic backdoor, generally implanted in the form of a browser plug-in.
KSL0T : Keylogger .
Wipbot : Basic backdoor with download function.
IronNetInjector : A malicious ipy loader that packages the Ironpython engine.
PNG Dropper : A Trojan horse program used to carry loads hidden between PNG files.
Intermediate backdoor
KopiLuwak : Javascript backdoor, intermediate stage component, once solved in the macro document.
HyperStack : With client and server, RPC communication between hosts in the LAN is carried out based on the pipe protocol. Used for network segment monitoring.
Neptun : RPC backdoor, similar to HyperStack.
Backdoor : Used to steal secret emails, and use mailboxes as a C2 secret stealing Trojan.
Nautilus : Turla Tema disclosed by the UK National Cyber ​​Security Centre
Mosquito : The Turla Tema, disclosed by Eset, was suspected to be hijacked and put on the Internet, pretending to be a persistent backdoor for a legitimate installation program (such as Flash).
AcidBox : A backdoor component disclosed by the Palo Alto Networks team that can add sensitive data as an overlay of icon resources, abuse the SSP interface for persistence and injection, and store payloads in the Windows registry.
Advanced backdoor
Crutch : Monitor PC machines and removable storage media, steal sensitive office/pdf files, and send them back through online cloud disks. It is generally used in the late attack stage.
Agent.BTZ : A complex worm with the ability to spread across networks and flash drives, collect sensitive information and send data to remote command and control servers. Agent.BTZ is known for its main role in the 2008 US cyber attack.
Uroburos : The complex rootkit used by Turla, the successor of Agent.BTZ. Uroburos consists of drivers and encrypted VFS. It can completely control the infected system, execute arbitrary commands and steal sensitive information.
ComRAT : A direct descendant of the Agent.BTZ malware, a substantial reconstruction of Agent.BTZ to enhance the RAT function.
Penquin : version of Uroburos malware
Carbon : Turla’s self-developed modular attack components are continuously updated. Carbon malware is an extensible framework that acts as a plugin manager for plugins provided by its command and control server. The framework is advanced and unified, including a coordinator, dropper, downloader, and libraries that will be injected into browsers and email clients.
Gazer : An advanced backdoor component used to monitor the target host. Publicly disclosed by Eset.
LightNeuron : Backdoor to the main Microsoft Exchange server. In addition to being a fully functional backdoor, it is unique in that it can monitor e-mail. It is usually deployed in the subsequent attack phase.
DarkNeuron : A component program that appears in pairs, including a client and a server, and is used for local area network monitoring. The client is used to infect the endpoint and steal sensitive information. This server is used to infect the netwrok server and act as the client’s local C2.
Kazuar : is a backdoor malware written in .NET that enables operators to fully remotely access the infected computer. It is an extensible backdoor, it can load other plug-ins to enhance its Trojan function, the new version supports reverse web services.
Third-party tools
Empire : Empire is an open source, cross-platform remote management and post-development framework that can be used publicly on GitHub. Used to expand and provide Powershell functions.
Certutil : certutil is a command-line utility that can be used to obtain certificate authority information and configure certificate services.
PsExec : for shell execution and lateral movement
Nbtstat : nbtstat is a utility for troubleshooting NetBIOS name resolution.
SScan  and NBTScan : network reconnaissance
IntelliAdmin : used to execute RPC commands
PsExec : PsExec is a free Microsoft tool that can be used to execute programs on another computer. It is used by IT administrators and attackers.
Meterpreter : MSF loader payload
Equation group tools : leaked EternalBlue, EternalRomance, DoublePulsar, SMBTouch equation components.
Mimikatz : Theft of credentials

As an APT team with a strong background, rich arsenal, and an activity span of nearly 20 years, the Turla group has always been the focus of various threat intelligence vendors around the world. Its attack components are complex, the attack process is cumbersome, the activity trajectory is highly hidden, and it has certain anti-reconnaissance capabilities. These characteristics all pose huge challenges for security researchers in reverse analysis, traceability, and the lack of context of attack components and various security vendors. The island of intelligence information is also a hindrance before the analysis and mining of the attack event. The Weibu Intelligence Bureau will continue to track Turla’s activities and disclose its latest trends, and cooperate with various industry security teams to restore Turla’s most authentic portrait.

IOCs

212.21.52.110
185.141.62.32
134.209.222.206
37.59.60.199
85.222.235.156


zebra.wikaba.com
aiisa.am
soligro.com
skategirlchina.com
www.armconsul.ru
belcollegium.org
www.berlinguas.com
mnp.nkr.am
www.balletmaniacs.com
.com
markham-travel.com


869c9b1209009a6887f31ffb7c43fa04
0674e34d0b01e1c71e4666da1f3b589f
0fb4042d252d1acc6d3e46fd47445cf6
d672139849f9855bfb703fcaec020a2f
9446059710c1869fc8aa9f0ef75d82f4
b11d85844af9fa84bf84ff746557f0b5
48f52e0c7aa72c2ccc5f5fcbd8e1290b
0ebe822e8c7ebb803ae5b6b74601c36f
e46da9ab2096ebb33279a808f5a7ee77
1777b81f3f87648b2344ea480bbcba65
98ce8c41188fcc1a92d0a23569c3765c
eff5881b4bf83386e26c451ff7c34a90
f376bc51b1220e5fc520ce60762ac6ce
40aa66d9600d82e6c814b5307c137be5
f4f192004df1a4723cb9a8b4a9eb2fbf
cb1b68d9971c2353c2d6a8119c49b51f
e1ee88eda1d399822587eb58eac9b347
db93128bff2912a75b39ee117796cdc6
a67311ec502593630307a5f3c220dc59
a7853bab983ede28959a30653baec74a
2145945b9b32b4ccbd498db50419b39b
62e9839bf0b81d7774a3606112b318e8
7a778e076e48ff269e91f17a15ea97d5
bfa7e07441929be3c6d5002e3be467ea
cafe3f10dc01ad158b14932b6562616f
a029007534b95c2bd8e29e80f97f292d
3e65a6d5658e6517c59d978dc159057a
3c32e13162d884ab66e44902eddb8eee
cc3adfe6079c1420a411b72f702e7dc7
dfca3fc4b7f4c637d7319219fcec1876
b7fd4c5119867539e36e96de1d07af6e
110e9bc680c9d5452c23722f42c385b3
137eb9b6ef122857bde72f78962ed208
dfce6f7d3a992dc2ee7fedb8dea58237
905b4e9a2159dab45724333a0d99238f
2e244d33dd8eb70bd83eb38e029d39ac
6e7991f93c53a58ba63a602b277e07f7
7c378d78b7a89aef27e8a3c5066b8511
170edf8b58126a5e69ef31b67953589a
05d07279ed123b3a9170fa2c540d2919
277f2d8e682f7ffc071560f44af4ab41
122907a62a6ade198e94b87eed4b4810
79db9a7ca5c2f1ff0919b9b582734159
150d0addf65b6524eb92b9762db6f074
a6efd027b121347201a3de769389e6dd
3b10f20729d79ca3a92510674ff037c2
c9c819991d4e6476e8f0307beed080b7
e5a90e7e63ededbdd5ee13219bc93fce
71f821c443d618cf40411b9a79e95d5c
50c98af90563bae4f89219d50feba38f
e6d114379914a51c09949e37e1790f62
f58e5a860a4d846ebe86596f9691e2e8
39efb312829a44191be0724bf1b06a80478c8f1d
0133512142805b89b5a86dfa67a82aaedbbab69c
884038cbbfefaeefe992a55f9f949b167430cf7e
7e138c1337a29868fddfa99f52dfe1de38e46c9e
a91612cadaccc19d101710b0ae77151a7a1b043b
44efacb89badadb486839165aba4d1ecdf3f047e
347f31769431ad70147e68fbb6bfa1e17fe283e9
86681c0c9b171f1afef5b06104abe8abcf0c992e
ad81f2f00f25cd0e45151d42d63c46db3ae39bed
ae76df8def138b6d4c82984f7172ed5bba737e1b
2920d5e6c579fce772e5506caf03af65579088bd
d7a18413d8c2b2525a0c90aaa392bdaef377e2ec
3e65b2df40001253ad8d9a3430a597c7b028bae9
e786c62f803ce75452d46c4354dc00b47628c140
b24faec08f3ec818c0380145a333251284792995
cbde204e7641830017bb84b89223131b2126bc46
32287d26656587c6848902dbed8086c153d94ee7
418645c09002845a8554095b355f47907f762797
74b0c62737f43b0138cfae0d0972178a14fbea10
eee11da421c7268e799bd938937e7ef754a895bf
690f18810b0cbef06f7b864c7585bd6ed0d207e0
6f2e50c5f03e73e77484d5845d64d952b038a12b
977d4a6ee64dae2b51bc28cf5a45c87ceafec8c4
1de19bba99e7ce80116b8e00141db5b525774e81
c30af6fa5df14e1ba9355b60a9214937f6f18990
71458cf1ff75e90d555fdd60461366fbc51d4b6d
04fb0667b4a4eb1831be88958e6127cd7317638a
24925a2e8de38f2498906f8088cf2a8939e3cfd3
ba3519e62618b86d10830ef256cce010014e401a
4b5610ac5070a7d53041cc266630028d62935e3f
240d3473932e4d74c09fcc241cf6ec175fdce49d
c51d288469df9f25e2fb7ac491918b3e579282ea
48bcec5a65401fbe9df8626a780f831ad55060a1
bee79383bcc73cf1e8e938131179223adb39ac1d
3dc74671768eb90463c0901570c0aae24569b573
e0788a0179fd3ecf7bc9e65c1c9f107d8f2c3142
d6e6eab05af60a496060d266f144e43f6d5d6ec1
5730e117b1efddc9a438a8bf603ff8b17736453e
c28605d9828e33613b3570c7297a6b572898f750
d90c21fcf42411f119409db6b5deb0f6eff2eea3
ef4c92aebb571336cd8c128abee9fe8928e6306d
3dbc6dd12652fad8cd18a4993a76b3f0bcce3fcf
7d9e5641ffb418a6c1a7c7bcfefdfe1415457ea6
0b764a8a78ce0cbadcf18ca57c62a43ce393d7dd
76555c5faff29cea6c2ede2d0f522a086c9a7df2
80b5cd49f809c2c9c41007d7de1e941bfbd7c1f2
e5fbba422578209f1045210390eca977f5c5ded7
8dfff7785c2562122e424745e40f7ad1ce6bdbb9
60f01f7a6df5e7b7253c70f863b6be70d5b56a6d
5d5825b14377c5e5fe96816dd72a90bd13dc9fc8
5daaab45d8dc6e9aa2b8432fe8dd7cdab1c8e8b5
36bba4d26ecf02623a51c6241133c4290551e27f
e33580ae3df9d27d7cfb7b8f518a2704e55c92dd74cbbab8ef58ddfd36524cc8
b641687696b66e6e820618acc4765162298ba3e9106df4ef44b2218086ce8040
c430ebab4bf827303bc4ad95d40eecc7988bdc17cc139c8f88466bc536755d4e
c1b8ecce81cf4ff45d9032dc554efdc7a1ab776a2d24fdb34d1ffce15ef61aad
8df0c705da0eab20ba977b608f5a19536e53e89b14e4a7863b7fd534bd75fd72
b5b4d06e1668d11114b99dbd267cde784d33a3f546993d09ede8b9394d90ebb3
b095fd3bd3ed8be178dafe47fc00c5821ea31d3f67d658910610a06a1252f47d
3aa37559ef282ee3ee67c4a61ce4786e38d5bbe19bdcbeae0ef504d79be752b6
a56f69726a237455bac4c9ac7a20398ba1f50d2895e5b0a8ac7f1cdb288c32cc
c59fadeb8f58bbdbd73d9a2ac0d889d1a0a06295f1b914c0bd5617cfb1a08ce9
82333533f7f7cb4123bceee76358b36d4110e03c2219b80dced5a4d63424cc93
18c173433daafcc3aea17fc4f7792d0ff235f4075a00feda88aa1c9f8f6e1746
a64e79a81b5089084ff88e3f4130e9d5fa75e732a1d310a1ae8de767cbbab061
2aa1235a2ae1ce115cfcb45d644e7e0e31febd87d44b93197b0afb0791a6efe4
50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed
3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122
92c2023095420de3ca7d53a55ed689e7c0086195dc06a4369e0ee58a803c17bb
57b8c2f5cfeaca97da58cfcdaf10c88dbc2c987c436ddc1ad7b7ed31879cb665
67bc775cc1a58930201ef247ace86cc5c8569057d4911a8e910ac2263c8eb880
0e3842bd092db5c0c70c62e8351649d6e3f75e97d39bbfd0c0975b8c462a65ca
3de0ba77fa2d8b26e4226fd28edc3ab8448434d851f6b2b268ec072c5da92ade
39050386f17b2d34bdbd118eec62ed6b2f386e21500a740362454ed73ea362e8
cd4c2e85213c96f79ddda564242efec3b970eded8c59f1f6f4d9a420eb8f1858
bf6f30673cf771d52d589865675a293dc5c3668a956d0c2fc0d9403424d429b2
b51105c56d1bf8f98b7e924aa5caded8322d037745a128781fa0bc23841d1e70
8490daab736aa638b500b27c962a8250bbb8615ae1c68ef77494875ac9d2ada2
fc9961e78890f044c5fc769f74d8440fcecf71e0f72b4d33ce470e920a4a24c3
e7fd14ca45818044690ca67f201cc8cfb916ccc941a105927fc4c932c72b425d
b295032919143f5b6b3c87ad22bcf8b55ecc9244aa9f6f88fc28f36f5aa2925e
b362b235539b762734a1833c7e6c366c1b46474f05dc17b3a631b3bff95a5eec
b79cdf929d4a340bdd5f29b3aeccd3c65e39540d4529b64e50ebeacd9cdee5e9
244896995b6b83f11df944ccda41ed9f1f1d811ebf65d75fe4337fd692011886
05254971fe3e1ca448844f8cfcfb2b0de27e48abd45ea2a3df897074a419a3f4
26a1a42bc74e14887616f9d6048c17b1b4231466716a6426e7162426e1a08030
5d0973324b5b9492ddf252b56a9df13c8953577bdb7450ed165abbe4bf6e72d8
2a61b4d0a7c5d7dc13f4f1dd5e0e3117036a86638dbafaec6ae96da507fb7624
2299ff9c7e5995333691f3e68373ebbb036aa619acd61cbea6c5210490699bb6
7481e87023604e7534d02339540ddd9565273dd51c13d7677b9b4c9623f0440b
d2a0eec18d755d456a34865ff2ffc14e3969ea77f7235ef5dfc3928972d7960f
4f8bc0c14dd95afeb5a14be0f392a66408d3039518543c3e1e666d973f2ba634
e888b93f4d5f28699b29271a95ccad55ca937977d42228637ad9a7c037d3a6a4
1f7b35e90b5ddf6bfd110181b1b70487011ab29ca5f942170af7e8393a1da763
1fca5f41211c800830c5f5c3e355d31a05e4c702401a61f11e25387e25eeb7fa
60000bc2598eff85a6a83d5302fc3ed2565005d8fd0d9f09d837123a1599ef8d
493e5fae191950b901764868b065ddddffa4f4c9b497022ee2f998b4a94f0fc2
f3aaa091fdbc8772fb7bd3a81665f4d33c3b62bf98caad6fee4424654ba26429
2b969111dd1968d47b02d6390c92fb622cd03570b02ecf9215031ff03611a2b7
7d5794ad91351c7c5d7fbad8e83e3b71a09baac65fb09ca75d8d18339d24a46f
6ca0b4efe077fe05b2ae871bf50133c706c7090a54d2c3536a6c86ff454caa9a
722fa0c893b39fef787b7bc277c979d29adc1525d77dd952f0cc61cd4d0597cc
97187123b80b1618f0d8afc2a5f84e9a17ac8e53a6e4ce8b0aa39fe06cec1f36
20691ff3c9474cfd7bf6fa3f8720eb7326e6f87f64a1f190861589c1e7397fa5