The Turla malware

Turla is one of the most advanced APTs (Advanced Persistent Threat) in the world.

Also, Turla Group is a well-established collective that has been operational since at least 2004

Also known as Snake, Venomous Bear, Uroburos, Group 88, Waterbug, and Turla Team, it is one of the most sophisticated cyber-espionage campaigns today.

It is famous for developing new and advanced techniques to avoid detection and ensure persistence on the targeted network.

This adversary is known for targeting, among the others, government, defense, and education sectors all around the globe.


Turla’s attacks

Turla APTs are known to have a taste for high-end victims. Turla’s APT was reported to have infiltrated Germany’s Federal College of Public Administration and then, through it, managed to compromise the country’s Federal Foreign Office.

Also, this wasn’t a one-time penetration; It was discovered that Turla remained under the radar of the German authorities for most of 2017.

During this time, the hacker group stole and collected government data. This impressive operation was performed with an APT tool called Turla Backdoor.

Three European countries have reported attacks by this Russian hacker group. The targets were once again their overseas offices.


The characteristics of Turla

We can assume that Turla’s APT is heavily involved in espionage as its main objectives have always been diplomats, military and state and political authorities.

It is suspected that the Turla APT may be linked to the Russian government, but this information has yet to be confirmed.

The Turla backdoor is believed to have originated in 2009. However, the hacker group has not been idle over the years and has introduced many improvements to their backdoor such as the ability of the threat to receive commands via a PDF file attached to an email, which was introduced in 2016.

In 2018, a new feature was added to the Turla APT backdoor: it was updated with the ability to run PowerShell commands on the infected host.

This newer version of this backdoor has the ability to infiltrate Microsoft Outlook.

Interestingly, the Turla APT does not use a vulnerability in the application, but instead manipulates the legitimate Microsoft Outlook Messaging Application Programming Interface (MAPI) and through it gains access to direct messages of intended targets.

Unlike most backdoors, which usually receive commands via an author command and control server, the Turla Backdoor is controlled via specially crafted emails thanks to the enhancement introduced by the APT in 2016.

The Turla Backdoor is capable of executing many commands, including collecting data and downloading and executing various files.

This backdoor is not too demanding when it comes to where it is planted: the Turla Backdoor is in the form of a DLL (Dynamic Link Library) module and is capable of running from anywhere within the hard drive.

Additionally, the Turla APT uses a Windows utility (RegSvr32.exe) to install its backdoor on the target system.

Of course, like any highly efficient threat of this entity, the Turla Backdoor is endowed with great persistence.

To minimize the chances of getting caught, Turla Backdoor will not perform its “duties” all the time. Instead, it uses a known vulnerability in Windows related to the Component Object Model (COM).

By exploiting this vulnerability, the backdoor is able to inject its instances into the legitimate process ‘outlook.exe’, thus eliminating the need to use a DLL injection – an attack vector that antivirus products easily detect.

By infiltrating Microsoft Outlook, Turla Backdoor is able to collect metadata about the victim’s messaging activity: email subject, attachment name, senders, and recipients.

This data is collected and stored by the Backdoor and is periodically transferred to the attacker’s servers.

A threat like this Backdoor could cause a lot of damage, especially if attackers manage to infect a system used to store sensitive data or communications and it is clear that the Turla APT targets these users.

In addition to data theft, malware can be ordered to download additional files or run corrupted PowerShell scripts.


How to defend yourself from Turla

As often happens, the tricks may seem simple and repetitive, but no less effective:

  • Update the operating system and all third party applications, especially Java, Microsoft Office and Adobe Reader
  • Do not install software from untrusted sources, for example when prompted by a random page
  • Beware of emails from unknown sources that contain suspicious attachments or links