Some species of ants ride on the backs of beetles to remain hidden and avoid detection by predators. Assassin bugs hitch ride on a termite, to move around without being noticed. Nature abounds with such examples of one bug hitching a ride on another to avoid detection.
Closer to our world of cyber threats, it seems the Russian APT group Turla is learning from nature. Turla, the focus of this year’s MITRE evaluation, has been active again in the last couple of years and it seems to have adopted a few tricks from nature.
Turla Targets
Turla, first seen in 2004, is a sophisticated operation with a long list of high-profile victims in its portfolio. Past targets include the Pentagon, government and diplomatic agencies, military groups, research institutions, and more in at least 45 countries.
Turla is known for its use of advanced malware and hacking tools, and it has adopted some interesting new techniques lately. It is hitching a ride on the Andromeda malware to connect with the systems already compromised by Andromeda, and deliver its own reconnaissance and backdoor malware (Quiet Canary) to targets.
Quiet Canary is the same malware that was used to exfiltrate data from the Pentagon’s network in the late 2000s. Leveraging Andromeda, Turla operators also deploy a new variant of the ComRAT4 malware. The newer ComRAT4, per ESET, has two new modifications – (1) exfiltrate anti-virus security logs from the infected devices and (2) take commands from an email (via Gmail) and exfiltrate to it.
Turla operators are most likely collecting anti-virus logs from infected hosts to analyze and better understand if, when, how their malware and its activities are detected. They can then tweak their techniques and tactics to avoid detection in the future. This way, they operate longer without detection and remediation measures kicking in. They can also cover their tracks and make it harder for security analysts to determine which files are siphoned.
The second innovation by Turla operators is even more interesting, using Gmail’s web interface for command and control, in addition to the traditional C&C domains. It takes over the victim’s browser, loads a predefined cookie and initiates a Gmail session. The malware then reads instructions from the emails in the inbox and downloads any attached files. The exfiltrated data and files are emailed back to the hackers via Gmail or can be uploaded to their C&C domains.
When Turla operators want to issue new commands, they can just send an email to the Gmail inbox.
In addition to the above, Turla also opens a second backdoor by dropping a simple, limited functionality malware popularly referred to as TinyTurla. Even if the primary malware is detected and removed, the second backdoor can be used to drop malware and re-infect the hosts.
The years of observing their targets’ environment and continuous innovation has allowed Turla to exploit various means to ingress and attack. In the next blog, I will go into the details of how Turla techniques and tactics map to MITRE ATT&CK and the various detection strategies IBM Security ReaQta offers.