Turla has been observed carrying out three separate campaigns using custom malware, modified versions of publicly available hacking tools and legitimate administration tools.
The Turla group is also known as Waterbug or Snake, it has used new tools for malicious campaigns targeting various government agencies worldwide.
Campaign 1 – involved a newly observed backdoor named Neptun installed on Microsoft Exchange servers. Neptun is designed to passively listen for commands from the attacker, making the malware more difficult to detect. Once installed, Neptun is able to download additional tools, upload stolen files, and execute shell commands.
Campaign 2 – uses a backdoor named PhotoBased.dll, that stores its command and control configuration in the registry for Windows Media Player and modifies the Microsoft registry to prevent pop-ups when running the PsExec tool. Once the backdoor is installed an attacker can use it to upload and download files, execute shell commands, and update its configuration. This campaign also installed another unnamed backdoor that runs a command shell via the named pipe cmd_pipe. Both backdoors allow the attacker to execute commands to gain full control of the user”s system.
Campaign 3 – Turla used a backdoor, named securlsa.chk. This backdoor receives commands through the remote procedure call (RPC) protocol. Using the backdoor the attacker can execute commands using cmd.exe and read or write arbitrary files. This RPC backdoor also included source code derived from the tool PowerShellRunner, which allows a user to run PowerShell scripts without executing powershell.exe. This allows the attacker to potentially bypass detection aimed at identifying malicious PowerShell usage.