Pacifier APT backdoor components have suspected ties to Russia-linked Turla Group
Pacifier APT backdoor components have suspected ties to Russia-linked Turla Group

Bitdefender researchers spotted three new Pacifier APT backdoor components that appear to connect the group's cyber-espionage campaigns against government institutions to the Russia-linked Turla Group.  

Researchers spotted new components that communicate with command and control servers using three very innovative techniques, one of which is a binary that can communicate with a command and control server (C&C) by proxying the connection through an internet-connected computer that shares the same LAN as the victim, according to a recent Whitepaper.

The other two techniques are a Visual Basic Script backdoor that uses the browser's (Internet Explorer) local storage mechanism to communicate with the command and control server and a third backdoor that uses obfuscated JavaScript that constantly connects to command and control and sends information about the victim's system.

Researchers said the backdoor modules were potentially developed by the Turla group and are further evidence that Turla is highly versed in evasion techniques and constantly employs new attack and stealth mechanisms to dodge traditional security tools.

Communication with the C&C is triggered by user activity and not by the malware.

“While the three analysed backdoors are different, they all show just how versatile the Turla group is in terms of coding, implementations and data exfiltration techniques,” researchers said in the paper. “We also found some other programs and tools for collecting data, including some freely available on the internet and probably uploaded by the attacker post-infection.”

The group is likely comprised of skilled members with a deep understanding of security evasion techniques, researchers said.

Bitdefender researchers first spotted the APT group targeting government institution in 2014 using malicious .doc documents and .zip files to distribute spearphishing emails looking to lure victims to social functions or conferences into executing attachments.

Earlier this week, ESET researchers linked a previously undocumented backdoor program used to spy on foreign embassies and consulates to Turla APT group. Researchers said the Gazer backdoor shares many commonalities to Turla's previous malware operations, including its targets, method of delivery, anti-detection methods, use of compromised websites as infrastructure, and other processes.