Turla APT: Active Again with Newly Developed Backdoors

Turla, a Russia-based cybercriminal group, is active again and now using several older backdoors with updates and improvements. Most of the backdoors are used for the purpose of persistence. Recently, the group launched an attack campaign against foreign governments in Europe.

What has happened?

In a recent attack on the European and Asian governments, the group used their old malware with significant updates. The group used a trio of HyperStack, Carbon, and Kazur backdoors as a multi-layered threat toolkit.
  • Recent updates in older malware are made by creating built-in redundancies for remote communication.
  • The group used legitimate web services, for e.g. Pastebin, to receive encrypted tasks, along with the usual HTTP infrastructure. 
  • The attacks were focused on multiple ministries of foreign affairs, national parliaments, and embassies.
  • Besides, the group used ComRAT and Zebrocy backdoors to perform various malicious operations.

Use of backdoors

The group used several backdoors in their recent attacks to maintain persistence by overlapping backdoor access.
  • HyperStack - a remote procedure call (RPC)-based backdoor used to exfiltrate data from the victim’s network.
  • Kazur - a remote administration trojan used to receive commands via Uniform Resource Identifiers (URI).
  • Carbon - a modular backdoor framework that comes with advanced peer-to-peer capability, in use for several years.
  • ComRAT - a backdoor used by the Turla group since 2007 to steal data and install other malware.
  • Zebrocy - a backdoor used by this group to perform various functions on the compromised system.

Conclusion

The newly developed ecosystem of these backdoors is expected to be used further by this group. Therefore, experts suggest having up-to-date antivirus, patching operating systems, applying a strong password policy, monitoring users' web browsing habits, and staying alert when opening emails from unknown sources.