Researchers expect to see Solaris machines infected by Turla

Dec 13, 2014 21:50 GMT  ·  By
Environment set for a temporary file execution in Linux Turla backdoor
4 photos
   Environment set for a temporary file execution in Linux Turla backdoor

The Linux variant for the Turla remote access Trojan (RAT) could have initially targeted machines running the Solaris operating system, recent analysis of the malware revealed.

Turla RAT is a component of a cyber-espionage operation discovered by security researchers at Kaspersky, who called it Epic Turla. It has been found that several hundreds of Windows computers in over 45 countries have been infected with this malware.

Finding Solaris machines infected with Turla would not be surprising

At the beginning of the week, Kaspersky announced the discovery of a Linux variant used by the threat actor behind the Epic Turla campaign, also known as Snake and Uroburos. Their analysis focused on the functionality of the threat.

F-Secure also took a look at the malware sample and reached the conclusion that Linux Turla had an environment set for file execution commands that is typical for the Solaris operating system, not Linux.

“This raises a question on whether this backdoor was originally targeting Solaris platform. There's nothing in the code and statically-linked libraries that would make this especially difficult to port, so we wouldn't be surprised to find out this malware is also on Solaris boxes in the following days,” Jarkko Salo, business manager at F-Secure, says in a blog post.

This came after another interesting finding, the ability to sniff the network interface in search of a particular type of packet that would allow it to configure the command and control server address and activate its functions.

Linux Turla relies on source code of proof-of-concept from 2000

Another interesting aspect about the Linux variant of the Turla advanced persistent threat is that it is based on freely available code from the cd00r proof-of-concept malware that was designed back in 2000 to demonstrate that backdoor servers can be invisible. This refers to the fact that the port it is listening to is not open at all times but only when certain packets are detected in the network traffic.

Important to note is that Kaspersky discovered more than one strain of the malware, suggesting active development and supporting the platform porting theory issued by F-Secure.

Although Solaris operating system, developed by Oracle, can be used on desktops, it is seen employed mostly on servers and large mainframes. It is at version 11 at the moment and aims at improving cloud operations by maximizing the resources of a data center and keeping it secure at the same time.

Turla has all the hallmarks of an APT and the operation is believed to be still active at the moment. It has been discovered this year, but researchers determined that it started in 2012, with an interest in government entities, intelligence agencies, diplomatic organizations, as well as the military, academia, and pharmaceutical sectors.

Linux Turla (4 Images)

Environment set for a temporary file execution in Linux Turla backdoor
Detection of the latest strain of Turla for LinuxEpic Turla cyber-espionage campaign is believed to have started in 2012
+1more