Turla APT group’s Outlook backdoor boosts the hackers’ stealthy cyberespionage campaigns

• The backdoor is designed for stealth and persistence and is capable of surviving even in the most restrictive networks.
• Turla hackers have been using the Outlook backdoor since 2013.

The cyberespionage group Turla is known to leverage one of its powerful backdoor malware variants called Outlook to ensure the success of its espionage campaigns. Turla is considered to be a sophisticated APT group. It has previously breached heavily protected networks, including the US Central Command in 2008.

The group has since, targeted government agencies and military organizations across the globe. Security experts at ESET have discovered that the Turla group used its custom Outlook backdoor in various attacks targeting political and military organizations across the world.

Outlook backdoor capabilities

The Outlook backdoor is extremely stealthy. It can steal emails and send all outgoing emails to the attackers. The backdoor targets email clients such as Microsoft Outlook and The Bat! - a popular mail client in Eastern Europe.

Yet another significant capability of the Outlook backdoor is that it uses email messages as a way to communicate with the attackers, instead of relying on the C2 servers.

“Data, such as files requested via a command of the backdoor, is exfiltrated in specially-crafted PDF documents attached to emails, and commands are also received in PDF attachments,” ESET researchers explained. “Thus, its behavior is particularly stealthy. It is important to note that no vulnerabilities were used either in PDF readers nor in Outlook. What actually happens is that the malware is able to decode data from the PDF documents and interpret it as commands for the backdoor.”

The backdoor is believed to have been active since 2013, although a basic version of Outlook was discovered with the compilation timestamp indicating that it was developed in 2009.

Outlook is a full-featured backdoor capable of manipulating and stealing emails. It can function independently of any other Turla component and thus, does not require a full internet connection and can operate on any computer.

“This could be very useful in strictly controlled environments with, for example, a highly filtered internet connection,” ESET researchers said. “Moreover, even if the attackers’ email address is disabled, they can still regain control of it by sending a command from another address. Thus, this malware is almost as resilient as a rootkit inspecting the incoming network traffic.”

Turla’s targets

The Turla group has used the Outlook backdoor in attacks targeting several European governments and defense contractors. So far, the group has used the backdoor to target France’s Ministry of Foreign Affairs and Europe’s Organization for Security and Cooperation. Since most governments have highly restrictive networks, the Outlook backdoor appears to be used to maintain persistence in such environments.

“While the Turla Backdoor is not the first backdoor that uses the real mailbox of the victim to receive commands and exfiltrate data, it is the first publicly known backdoor using a standard API (MAPI) to interact with Microsoft Outlook,” the researchers said.

“Our research shows that compromised organizations are at risk of not only being spied on by the Turla group who planted the backdoor, but also by other attackers. The backdoor simply executes any commands it receives, without being able to recognize the operator” ESET researchers added. Thus, it is possible that other attackers have already reverse-engineered the backdoor and figured out how to control it - and are also spying on victims using the backdoor.”