Russia-Based Turla APT Groups Infrastructure, Activity Traceable

  /     /     /  
Publicated : 23/11/2024   Category : security


Russia-Based Turla APT Groups Infrastructure, Activity Traceable


Threat actors practice of using known malware and tactics gives an opening for defenders, says Recorded Future.



The activities of Turla Group, a stealthy Russia-based threat actor associated with numerous attacks on government, diplomatic, technology, and research organizations, may be trackable because of the groups penchant to use older malware and techniques alongside its arsenal of newer custom tools.
Researchers at Recorded Future recently came to that conclusion after conducting an in-depth analysis of Turlas activities using data from its threat intelligence platform and several other sources, including open source intelligence. The vendors goal was to see whether it could develop methods — including scanning rules and indicators — for identifying Turla malware and infrastructure.
Recorded Futures analysis showed Turla (aka Snake and Venomous Bear) to be a group that is continuing to develop its own advanced custom malware tools and adopting new attack and obfuscation methods all the time. In 2019, the group began ramping up its use of PowerShell scripts via PowerSploit and PowerShell Empire. It also developed a custom PowerShell backdoor dubbed PowerStallion, all in an apparent effort to make discovery harder for defenders.
However Recorded Future also found that in several lengthy campaigns, Turla had a pattern of using older malware and methods that researchers had previously identified as being used by the threat actor. This habit gives defenders an opening to proactively track and identify Turla’s infrastructure and activities,
Recorded Future said
.
Turla is a bit unusual in continuing to use old, well-known malware that they have laying about, says John TerBush, senior threat intelligence researcher at Recorded Futures Insikt Group. There are a handful of other examples of continued use of older malware, such as Winnti and PlugX by groups associated with China. [But] most advanced actors will move on to newer malware once they have been publicly reported on and evaluated by researchers, TerBush says.
According to TerBush, the reason simply could be that the older, tried-and-tested methods are continuing to work for Turla in most attacks. While the group is continuously adding to its malware portfolio, Turla is also very smart about how to use them and do very specific targeting in order to limit exposure.
Hijacking Malware and Infrastructure
At least twice in the past, Turla has leveraged malware and infrastructure belonging to other threat groups to carry out its own missions. The first time was back in 2012 when Turla members reused malware belonging to a China-based threat actor called Quarian, TerBush says.
In that instance, Kaspersky researchers assessed that Turla actors downloaded, then uninstalled, the Quarian malware in an attempt to divert and deceive incident responders post-discovery, TerBush says.
More recently, in 2019 Symantec and later the United Kingdoms National Cyber Security Center (NCSC) reported on Turla group members using malware and command-and-control (C2) infrastructure associated with APT34, a well-known Iranian threat actor. The NCSC described Turla as using APT34s malware tools — Nautilus, Neuron, and an ASPX webshell called TwoFace — in attacks against UK organizations. The incident marked the first time one state-backed actor managed to take over another nation-state actors malware and infrastructure.
According to TerBush, Recorded Futures analysis suggests that Turlas takeover of APT34s assets may have been opportunistic in nature and facilitated by data that another threat actor released in 2019.
Recorded Future found that while Turla frequently targets Windows systems, they have also deliberately targeted email servers using custom backdoors for Microsoft Exchange and other mail servers in order to take control of email traffic. The group also has been using compromised WordPress sites for command-and-control purposes and WordPress-focused URLs for delivering payloads. This tendency enables the profiling of their C2s and payload URLs to discover new Turla infrastructure, Recorded Future said.
As part of its Turla investigation Recorded Future researchers analyzed two malware types associated with the group — a remote access Trojan called Mosquito and the TwoFace webshell that Turla hijacked from APT34. The vendor concluded that many of the TwoFace webshells that are currently operational are now under the control of the Turla group and not APT34.
Recorded Futures report provides a study in how others might similarly analyze nation-state malware and create sound detection methods, TerBush says. Using these findings, we hope that organizations will utilize these and other detection methods for Turla malware, he says.
Related Content:
Russian Hackers Using Iranian APTs Infrastructure in Widespread Attacks
Russian Nation-State Group Employs Custom Backdoor for Microsoft Exchange Server
Turla Threat Group Uses Email PDF Attachments to Control Stealthy Backdoor
8 Ways Businesses Unknowingly Help Hackers
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays featured story:
CASB 101: Why a Cloud Access Security Broker Matters
.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Russia-Based Turla APT Groups Infrastructure, Activity Traceable