The Turla Hackers are a famous criminal collective that are widely known for executing complex attacks against large companies and government institutions. Security experts have detected that they are responsible for a large-scale ongoing hacking campaign against embassies and consulates mainly in Europe using advanced network manipulation techniques.
The Early Warning Signs: Turla Hackers Suspected Of A Dangerous Attack
Computer security researchers were alerted of a combined hacking attack. The in-depth analysis shows that the collective is probably the likely culprit as a very complex infection chain is used against high-profile targets. The majority of intended victims are diplomats primarily based in Europe. The operators have used modified copies of the Adobe Flash Player to install a dangerous backdoor called Mosquito which is attributed to the group. During the malware’s initialization it connects to command and control servers that were previously associated with the Turla group in previous campaigns.
The behavior analysis also matches the signatures of other malware families that are attributed to the Turla hacking group. This includes not only similar process execution sequence, but also advanced components such as the string obfuscation and the API resolution component. This concludes that the hackers are continuing their intrusion attempts against high-profile targets once again.
The Turla Hackers Employ Network Manipulation and Adobe’s Servers During Infection
The Turla hackers have created counterfeit copies of the Adobe Flash Player which is not so much different than some of their previous campaigns. However instead of using familiar tactics like email messages (with or without social engineering techniques) and counterfeit download sites, the malware files seem to be downloaded directly from the Adobe servers. As a result intrusion detection services and user administrators may be deceived into allowing the installation to continue.
Upon further inspection it was discovered that the hackers did not used the host field manipulation technique. The criminals manipulate this field to point to a hacker-controlled server. However during the in-depth analysis it was revealed that this was not the case and malware files indeed seem to be available from Adobe’s servers. The security team at the company however state that no intrusion has been detected.
There are several possible explanations that are under consideration:
- Rogue DNS Server — The IP addresses do respond to the real servers used by Adobe so this suggestion was quickly discarded.
- Man-in-the-Middle (MitM) Attack — The Turla hackers can utilize a compromised machine found on the network of the intended victims. Using an ARP spoofing technique the criminals can manipulate the traffic in real time and redirect it to other dangerous hosts. During the in-depth investigation of the ongoing attacks no such tools were detected in the code and behavior patterns. If this method is employed then an infection must have been made before the actual campaign launch.
- Hacked Gateway Device — In this case the criminals intrude onto gateway devices (routers, proxy servers and network switches) that impact a large number of victims. Such attacks give Turla the ability to review and incoming and outgoing traffic between the local area network and the Internet.
- ISP Level Intrusion — In a similar way the Turla group can modify intrude onto the servers of the Internet service providers themselves (ISPs). Most of the targets are located in former USSR countries and they use at least four different providers. This scenario would be likely if the hackers have the ability to monitor network traffic in different countries at the same time.
- BGP Hijacking — The last possible scenario is a BGP hijacking attack. This can be done by using an autonomous system to announce a prefix that belongs to the Adobe site. This would allow network traffic to be routed to hacker-controlled sites. The affected group would be users that are located near the dangerous locations. However this is highly unlikely as there are numerous services that constantly monitor for such malware practices.
Effectively any network abuse can result it malware infections with arbitrary payloads. The ongoing attack campaign seems to mostly lead to an infection with a dangerous backdoor known as Mosquito.
An alternative behavior has also been observed where the Adobe Flash installer delivers two separate JAvaScript-based backdoor instead of the Mosquito malware. They are placed in a system folder used by Microsoft and are called google_update_chcker.js and local_update_checker.js.
The first instance loads a web application hosted on Google Apps Script. The application is made in such a way that it expects a base-64 encoded reply. Once the necessary command is sent back the contents is decoded using a built-in function. It is presumed that it’s purpose is to download additional threats to the machine. In other cases it can be used to execute arbitrary commands as well. The code analysis shows that like Mosquito it can be installed as a persistent threat by adding a registry value.
The second JavaScript malware reads the contents of a file located in a system folder and executes its contents. Such viruses are dropped together with their associated configuration files. They are extremely dangerous as their behavior can be altered depending on each infected host. It can add a registry value in order to achieve a persistent state of execution.
The Mosquito Backdoor Is The Turla Hackers Weapon
The in-depth analysis of the main payload used by the Turla group is a backdoor called Mosquito. The analysts note that this is an updated of a an older threat that has been used since 2009. It is disguised as an Adobe Flash Player installer and may fool most computer users as it contains legitimate signatures from Adobe. The actual malicious code is heavily obfuscated (hidden) using a custom encryption mechanism. Once the malware payload has been deployed it follows a predefined behavior pattern.
Upon infection the Mosquito backdoor decrypts itself and drops two files to system folders. The analysts note that Turla includes a stealth protection technique that searchers for strings that are associated with security software. In future versions it can also be used against other tools such as virtual machines, sandboxes and debugging environments. The Mosquito malware proceeds by setting up a persistent state of execution via a run registry key or COM hijacking. This is also followed by a Windows Registry modification. As a result the dangerous code is executed every time the computer is started.
An information gathering phase follows. The malware has the ability to extract sensitive information about the system and send it to the hackers via an Adobe domain. Some of the example data includes the unique ID of the sample, the username of the victim users or the network’s ARP table.
In order to fool the victims into thinking that its a legitimate installer a real Adobe Flash setup instance is downloaded and executed. Two sources have been found identified in the captured samples — Adobe’s own downloads server and a Google Drive link.
Before the main backdoor code is executed the setup process creates a separate administrative account called HelpAssistant or HelpAsistant having the password “sysQ!123”. The system value LocalAccountTokenFilterPolicy is set to 1 (True) which allows remote administration. The security experts reveal that this may be used in conjunction with remote access operations made by the criminals.
The Turla Hackers Invention — Capabilities of the Mosquito Backdoor
The main backdoor code uses encrypted Windows registry values using a custom algorithm for configuring itself. The Turla hackers have bundled a comprehensive log file writer. The analysts note that it writes a time stamp for each log entry. This is highly unusual for a backdoor like this one and is probably used by the perpetrators to retrace the infections.
Like other similar backdoors it connects to a hacker-control command and control (C&C) server to report any computer interactions. This is done over a random amount of time, a technique which evades heuristic-based scans. The hackers can use it to send arbitrary commands and cause further damage to the infected hosts. The user-agent is set to appear as Google Chrome (version 41).
A list of predefined instructions for easier programming is bundled in the backdoor. The list includes the following entries:
- Download and Execute a File.
- Process Launch.
- File Delete.
- File Exfiltration.
- Store Data to Registry.
- Execute Command and Send Output To C&C Servers.
- Add a C&C Server URL.
- Delete a C&C Server URL.
Ongoing Turla Hackers Attack: How to Counter Them
At the moment the Mosquito backdoor is still ongoing and as the security investigations continue to seek out the origins of the dangerous intrusions the number of potential targets continues to rise. The Turla criminal collective is widely known for being able to break into high-profile targets, many of their victims are government institutions or large international enterprises. The social engineering attacks are noteworthy for their complexity, the analyst also note that the advanced network-related attacks are carefully planned to avoid all manners of analysis and intrusion detection.
As the signatures are known available to the general public we advise computers users to scan their systems for any malware infections.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunters
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: