Turla, the notorious cyber espionage group that rose to infamy after breaching the US Defense Department in 2008, seems to be shifting gears towards using generic, open-source exploitation tools rather than solely relying on their own custom creations. ESET researchers first observed the change in Turla's Mosquito campaign in March 2018.
The attackers leverage the open-source exploitation framework Metasploit before dropping its custom Mosquito backdoor. Although the group has used generic tools in previous, such as the open-source password dumper Mimikatz, this is the first time Turla has decided to go with Metasploit as a first stage backdoor.
"Our January 2018 white paper was the first public analysis of a Turla campaign called Mosquito," researchers said in a blog post. "Since then, the campaign has remained very active and attackers have been busy changing their tactics to remain as stealthy as possible."
In the initial Mosquito campaign, a fake Flash installer was used to target embassies and consulates in Eastern Europe and install a Turla backdoor along with the legitimate Adobe Flash Player. When a user downloads a Flash installer from get.adobe.com through HTTP, traffic is intercepted on a node between the targeted machine and the Adobe servers in a man-in-the-middle attack that allows the hackers to replace the legitimate Flash player with a trojanized version.
While the updated Mosquito campaign still leverages a fake Flash installer, it now executes a Metasploit shellcode and downloads a legitimate Flash installer from a Google Drive URL, rather than directly dropping two malicious DLLs. This is likely used to dupe the user into thinking the download was successful and legitimate.
The shellcode then downloads a Meterpreter that allows the attacker to control the infected system and eventually download the usual Mosquito backdoor.
"Because Metasploit is being used, we might also guess that an operator controls the exploitation process manually," researchers said. They also noted that the final backdoor is dropped within 30 minutes of the initial compromise attempt.