The Russia-linked threat group known as Turla was observed using two new pieces of malware in attacks launched over a period of roughly two months in the fall of 2019, ESET reports.
Also known as Waterbug, KRYPTON, Snake, and Venomous Bear, and active for more than a decade, Turla is known for the targeting of various diplomatic and military organizations, with a focus on NATO and Commonwealth of Independent States (CIS) nations.
The group has an extensive portfolio of malicious tools, and is continuously expanding it to ensure efficiency of attacks. The most recent additions, ESET says, were discovered while analyzing a watering hole attack targeting high-profile Armenian websites.
As part of the campaign, a fake Adobe Flash update lure was used to infect victims, with at least four Armenian websites compromised, including two belonging to the government, suggesting that the intended targets are government officials and politicians.
The affected websites, namely the consular section of the Embassy of Armenia in Russia, the Ministry of Nature Protection and Natural Resources of the Republic of Artsakh, the Armenian Institute of International and Security Affairs, and the Armenian Deposit Guarantee Fund, were compromised since at least the beginning of 2019, ESET believes.
“Data from ESET telemetry suggests that, for this campaign, only a very limited number of visitors were considered interesting by Turla’s operators,” ESET researcher Matthieu Faou pointed out.
Prior to September 2019, victims were tricked into installing the Skipper malware that was first documented in 2017. Between September and November, the malicious domain would deliver a new .NET downloader dubbed NetFlash, which fetched a second-stage backdoor named PyFlash.
The malware, which appears to be the first Python-based backdoor ever used by Turla, uses HTTP for communication with the command and control (C&C) server. The malware can receive backdoor commands in JSON format, to download additional files, execute Windows commands, change execution delay, and kill the malware.
In a report providing a historic view of Turla’s activity, Recorded Future revealed on Thursday that, since January 2020, the nation-state actor has been leveraging malware and infrastructure previously associated with the Iranian threat actor APT34, after successfully infiltrating the group’s network last year.
“Recorded Future assesses with high confidence that TwoFace is the Iranian APT34 ASPX shell Turla was scanning for to pivot to additional hosts, as documented in the NSA/NCSC report. We assess that any live TwoFace shells as of late January 2020 could also be potential operational assets of the Turla Group,” the security firm says.
TwoFace was first detailed in 2017, but APT34 (also known as OilRig) is believed to have been using it since 2016. It allows attackers to run programs and shell commands, manipulate files, upload/download files, and modify timestamps.
According to Recorded Future, Turla has been scanning for the presence of TwoFace ASPX web shells, then attempted to access the infected machines to download Snake and other malware. Thus, the security firm believes that many of the webshells are now operational assets of Turla and no longer controlled by APT34.
Recorded Future believes that Turla is a well-funded, advanced nation-state group that will remain active over the next years and will continue to improve its tools. The group is also expected to change targeting and practices, but also to surprise with unique operational concepts.
“However, the group’s consistent patterns and use of stable and periodically updated versions of unique malware for lengthy campaigns may allow proactive tracking and identification of its infrastructure and activities in the future,” the security firm concludes.