What Is It?

Turla is a Russian-sponsored APT (Advanced Persistent Threat) group we have covered in previous Threat Reports. Also known as Waterbug, Venomous Bear and KRYPTON, Turla has been in operation since the early 2000s. The group focuses on espionage, targeting government entities and embassies in up to 100 countries. Turla is believed to be behind attacks on the U.S. State Department, NASA, U.S. Central Command (CENTCOM) and various embassies located in European countries.

The Accenture Cyber Threat Intelligence team recently released research into a successful attack on an unnamed European government entity. Additionally, USCYBERCOM has publicly released samples of a dropper attributed to Turla by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.

Turla has succeeded by continuing to evolve its custom malware to remain undetected for extended periods of time. Mirroring traditional espionage tradecraft, the less attention the malware draws to itself, the longer it can gather intelligence. Once the initial compromise and installation of the malware has been successful, the main challenge to its continued stealth is communication with the attackers and exfiltration of data (also known as command and control or C2).

Any unusual or new traffic could be detected as malicious or flagged as suspicious by security infrastructure on an organization’s network. Previously, Turla has used some novel methods to avoid drawing attention to the C2 traffic. One of the most well-known is from 2017 when the group used the comments section of a photo on Britney Spears’ official Instagram account. The malware looked for comments with a specific hash value that contained non-printable characters indicating which characters in the comment should be combined to create a bit.ly URL that redirected to the actual C2 site. 

In the latest Turla malware reported by Accenture, a combination of old and new techniques is used for C2 communication. The old and most common technique uses a compromised legitimate site to host the C2 site which is directly contacted by the malware on each infected system. The new technique uses a compromised system inside the local network of the targeted organization as a proxy so that C2 traffic is sent to this internal system and then forwarded to an externally hosted C2 site. This new method provides Turla with two advantages over the old method. First, it allows systems without direct internet connectivity to communicate with an external C2 site. Second, it has the potential to significantly reduce the number of infected systems communicating to an external site.  This can minimize the risk of C2 traffic being detected.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The Turla APT group has a history of utilizing social engineering attacks to initially compromise target organizations, such as malicious documents contained in spear phishing emails.

When/How Did BluVector Detect It?

Accenture’s report contained 11 publicly available samples and USCYBERCOM uploaded 5 samples to VirusTotal. BluVector’s patented Machine Learning Engine (MLE) detected all 16 samples. Regression testing has shown the Accenture samples would have been detected an average of 33 months prior to their release and the USCYBERCOM samples would have been detected an average of 39 months prior to their release.