Turla APT Group Uses Novel Email Backdoor

What Is It?

Researchers from security company Eset have released a report detailing their analysis of malware used by the Advanced Persistent Threat (APT) group Turla (also known as Waterbug, Venomous Bear and KRYPTON).

The malware is currently using a novel technique for its command and control (C2) communication, it utilizes specially-formatted PDF files in emails being sent to and from Microsoft Outlook clients.

The Turla APT group is Russia-based and has been active since 2007, targeting various governmental organizations and military contractors. Previous targets have included the U.S. Department of State, U.S. Central Command (CENTCOM) and embassies located in European countries.

Recent breaches attributed to Turla include the German Federal Foreign Office, where several systems were backdoored for nine months in 2017 before the malware was discovered. Previous attacks have shown Turla to have excellent social engineering and technical skills, including campaigns where both Windows and Mac users downloaded genuine versions of Adobe Flash Player, plus a backdoor, from apparently legitimate IP addresses.

Eset researchers believe the backdoor has been under constant development as far back as 2009. The most recent version, from April 2018, is now capable of running PowerShell scripts in memory. Of great interest is the novel C2 communication technique leveraging Microsoft Outlook and using PDF files. This technique does not exploit any vulnerabilities and uses Outlook’s genuine Messaging Application Programming Interface (MAPI) to gain access to the mailboxes on infected systems.

Firstly, the backdoor logs information related to each legitimate email sent or received by the user (sender, recipients, subject and attachment filenames). This information is encrypted and periodically sent to the attackers in a PDF file attached to an email. Incoming emails containing PDF files are scanned to see if they contain commands common to bots and backdoors, such as downloading and executing files, running commands and exfiltrating data via PDF files attached to outgoing emails. The malware attempts to remain undetected by blocking notifications of incoming C2 emails and removing them from the inbox and sent folder.

It is believed to be the only malware using email exclusively for its C2 communication.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. There are no details available regarding the initial infection vector, however the Turla APT group have proven themselves adept at utilizing social engineering to their advantage, which may include malicious documents in spear phishing emails.

When/How Did BluVector Detect It?

Three publicly available samples were tested and BluVector’s patented Machine Learning Engine (MLE) detected all of them. Regression testing has shown that the samples would have been detected up to 38 months prior to their release.

All Threat Reports