Turla and Zebrocy hacker groups shared hacking tools and targets in recent campaigns

• Both groups were found targeting government research and military organizations, focusing heavily on Central Asia.
• Both Zebrocy and Turla were spotted using an almost identical version of the KopiLuwak backdoor in their operations.

Turla, one of the oldest and most prolific Russian hacker groups, has been sharing malware code and targets with another threat group - Zebrocy. Both groups were recently found targeting government research and military organizations, focusing heavily on Central Asia.

Zebrocy is believed to be a subset of the notorious Kremlin-linked cyberespionage group APT28 - aka Fancy Bear. Security experts at Kaspersky Lab discovered the overlapping of codes and targets between Turla and Zebrocy. The researchers said that the most recent iteration of Turla’s KopiLuwak backdoor was delivered to victims using an almost identical code that was previously used by Zebrocy.

“The most recent evolution in the KopiLuwak life cycle was observed in mid-2018 when we observed a very small set of systems in Syria and Afghanistan being targeted with a new delivery vector,” Kaspersky Lab researchers wrote in a blog. “In this campaign, the KopiLuwak backdoor was encoded and delivered in a Windows shortcut (.lnk) file. The lnk files were an especially interesting development because the PowerShell code they contain for decoding and dropping the payload is nearly identical to that utilized by the Zebrocy threat actor a month earlier,”

Malware evolution

Kaspersky researchers found that Turla’s custom malware variants, Carbon and Mosquito, among others, were upgraded recently. Carbon, which is a powerful cyberespionage malware framework, has been deployed against a very select set of targets.

“We expect Carbon framework code modifications and predict selective deployment of this matured codebase to continue into 2019 within Central Asia and related remote locations,” Kaspersky researchers said. “A complex module like this one must require some effort and investment, and while corresponding loader/injector and lateral movement malware moves to open source, this backdoor package and its infrastructure is likely not going to be replaced altogether in the short term.”

Meanwhile, the Mosquito malware’s delivery technique has evolved since 2017. In January 2018, the malware was modified to inject the ComRAT malware into the memory of a targeted system.

“We expect to see more open-source based or inspired fileless components and memory loaders from Mosquito throughout 2018. Perhaps this malware enhancement indicates that they are more interested in maintaining current access to victim organizations than developing offensive technologies,” the researchers added.

Unlike other Russian cyberespionage groups such as APT28 and APT29 that spent a majority of the past couple of years targeting organizations in the West, Turla has been working under the radar, focusing heavily on entities in the East.

“Turla is one of the oldest, most enduring and capable known threat actors, renowned for constantly shedding its skin and trying out new innovations and approaches,” Kaspersky Lab principal security researcher Kurt Baumgartner said in a statement. “Our research into its main malware clusters during 2018 shows that it continues to regrow and experiment. Our research suggests Turla’s code development and implementation is ongoing, and organizations that believe they could be a target should prepare for this.”