Turla cyber-espionage group fakes Adobe to drop malware on embassies
Turla cyber-espionage group fakes Adobe to drop malware on embassies

Cyber-espionage group Turla is reported to be targetting embassies and consulates in the post-Soviet states using a new tool to dupe potential victims into installing malware to exfiltrate data.


Recent ESET research shows that in addition to bundling its backdoors with a legitimate Flash Player installer, it now also ensures that URLs and the IP addresses it uses appear to correspond to Adobe's legitimate infrastructure so that victims are convinced  they are downloading authentic software from adobe.com.

 

Attacks using The new malicious tool are believed to have begun by July 2016; they shares similarities with other malware families spread by the group including use of Mosquito, a backdoor believed created by Turla, as well as using IP addresses previously linked with the group.


ESET point out that Turla's malware is not known to have tainted any legitimate Flash Player updates, nor is it associated with any known Adobe product vulnerabilities.


Possible attack vectors ESET researchers considered are:

  • A machine within the network of the victim's organisation could be hijacked so that it acts as a springboard for a local Man-in-the-Middle (MitM) attack.
  • The attackers could compromise the network gateway of an organisation, enabling them to intercept all the incoming and outgoing traffic between that organisation's intranet and the internet.
  • The traffic interception could also occur at the level of internet service providers (ISPs), a tactic seen in recent ESET research into surveillance campaigns deploying FinFisher spyware.
  • The attackers could have used a Border Gateway Protocol (BGP) hijack to re-route the traffic to a server controlled by Turla, although ESET notes that this tactic would probably quickly set off alarm bells with Adobe or BGP monitoring services.

Once the fake Flash installer is downloaded and launched, one of several backdoors is dropped. It could be Mosquito, a piece of Win32 malware, a malicious JavaScript file communicating with a web app hosted on Google Apps Script, or an unknown file downloaded from a bogus and non-existent Adobe URL.


Exfiltration of sensitive data can then begin and will include the unique ID of the compromised machine, the username, and the list of security products installed on the device. ‘Only' the username and device name are exfiltrated by Turla's backdoor Snake on macOS.


Finally, the fake installer drops – or downloads – and then runs a legitimate Flash Player application whose installer is either embedded in its fake counterpart or is downloaded from a Google Drive web address.

 

ESET researchers report having seen new samples of the Mosquito backdoor in the wild. These recent iterations are reported to be more heavily obfuscated with what appears to be a custom crypter, to make analysis more difficult both for malware researchers and for security software's code.


To establish persistence on the system, the installer tampers with the operating system's registry. It also creates an administrative account that allows remote access.


The main backdoor CommanderDLL has the .pdb extension. It uses a custom encryption algorithm and can execute certain predefined actions. The backdoor keeps track of everything it does on the compromised machine in an encrypted log file. ESET's latest findings about Turla are available in this white paper.

Previous researchers found the group - assuming it is the same group - is mostly active during the standard working day of the UTC +4 time zone suggesting Russian origin.