14 DAY TRIAL // Security researchers have analyzed the way Turla, the cyber-espionage Trojan also known as Snake or Uroburos, operates and determined that it is preceded by another malware that profiles the victim, so that threat actors can deploy the spying operation only on individuals of interest.
The analysis of the way Turla works has been conducted by Kaspersky, Symantec and CrySyS Lab in Budapest and has revealed that the operators behind the campaign are highly sophisticated in their methods.
More than one malicious file is used by the attackers to reach their goal. First, a backdoor mostly known as “Wipbot” and “Tavdig” (sometimes referred to as “WorldCupSec” or “TadjMakhal”) is deployed to collect details. Then the main module is delivered, which can execute a variety of commands and exfiltrate data on the affected computer.
Kaspersky says that Turla has infected several hundred computers, all selected specifically because they were of interest to a nation state.
Users may be accustomed to larger numbers for a first opinion on a cyber-attack, but in this case, the machines connected to government institutions, embassies, military, education, research and pharmaceutical companies in more than 45 countries.
The attack was conducted in multiple stages, a first step being to infect the targeted victim, either via watering hole, leveraging Java, Flash or Internet Explorer exploits, or spear-phishing emails that delivered PDF exploits.
Among the vulnerabilities exploited, we should mention CVE-2013-5065 (privilege escalation in Windows XP and 2003) and CVE-2013-3346 (execution of arbitrary code in Adobe Reader).
The watering hole attacks were carried out by compromising websites of interest to the victim, mostly under government administration.
The actors behind the operation, which Kaspersky called “Epic Turla,” selected their victims by instructing the website malware to deliver the payload only to a specific range of IP addresses.
They can be more accurate than this though, being able to define only certain IP addresses. As such, anomalous activity on the infected websites is even more difficult to detect, since the trigger comes with its own particularities.
According to Kaspersky, most of the victims are from France (25), followed closely by the United States (24) and Iran (22), and are connected to governments (various ministries from EU and Asia), embassies, military (EU), education, research (Middle East), and pharmaceutical companies.
Other countries on the list are Russia (17), Belarus (17), Germany (16), Romania (15), Poland (13), Netherlands (13), Kazakhstan (13), Saudi Arabia (13) and Tajikistan (10).
Kaspersky’s findings indicate that the operators behind Epic Turla are of Russian origin, evidence of this being the use of the codepage “1251” on the control panel of the malware, which is most often employed for Cyrilic characters, and of the internal name “Zagruzchick,” which is the Russian equivalent for “boot loader.”
Of course, all this could be intentional, to set analysts on a false track. Kaspersky says that the espionage activity using these tools has not reached an end and infections are still being recorded.