Turla APT Active Again with Crutch Malware Toolkit

Turla, the Russia-based threat actor, has been observed using a new malware toolset capable of stealing sensitive documents. The attacks were reportedly directed at high-profile targets, including the Ministry of Foreign Affairs of a European Union country.

What happened?

Crutch is designed to harvest and exfiltrate sensitive documents and other files to Dropbox accounts managed by Turla.
The operators were mainly focusing on reconnaissance, lateral movement, and espionage. In addition, the main malicious activity consisted of staging, compression, and exfiltration of documents.
  • They uploaded ZIP files to Dropbox accounts that contain commands for the backdoor.
  • The attackers spread Crutch as a second stage backdoor on already compromised machines by using first-stage implants such as Skipper, and PowerShell Empire post-exploitation framework.
  • The recent version Crutch v4 added a removable-drive monitor with networking capabilities. It can automatically upload the files saved on local and removable drives to Dropbox.

Recent activities

In the last two months, Turla has been active and targeting governments, embassies, educational institutions, and research facilities.
  • Last month, the U.S. Cyber Command disclosed eight new malware samples, of which six belonged to ComRAT and two to Zebrocy.
  • In addition, earlier they hacked into the systems of an unnamed European government organization.

Conclusion

The Turla group is very active at present and is updating its older malware to target several industries around the world. Thus, experts suggest using a reliable anti-malware solution, software/hardware system for computer and network security, and implementing security mechanisms for common infection vectors.

Cyware Publisher

Publisher

Cyware