Turla, which is widely believed to be a Russian state-sponsored hacker group, is known for using innovative methods for developing and distributing malware for its espionage campaigns. Recently, it was observed using common technologies like Gmail and errors in HTTP protocols for controlling its malware.
In May 2020, ESET researchers found that the Turla group members had deployed an updated version of the ComRAT malware, containing some pretty clever new features.
- The latest variant of the malware ComRAT v4 (which was first seen in 2017) includes two new features, including the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail web interface in order to bypass some security controls.
- Turla uses Gmail's web User Interface as one of the two command and control channels for the updated malware, the other being a legacy HTTP channel. It can also delete the entries from the logs created by anti-virus, to clean its tracks.
- Turla used ComRAT v4 to steal confidential documents, and they took advantage of public cloud services like 4shared and OneDrive to exfiltrate the stolen data during its attacks against governmental and military institutions in Eastern Europe and the Caucasus.
A Turla exclusive
The Turla group has gained good popularity for its series of innovative malware such as RocketMan!, LightNeuron, RPC Backdoor, Neptun, PowerShell/Turla, IcedCoffee, Skipper, Kazuar, Tavdig, Carbon-DLL, Turla.cd, Turla (Module), etc. in its attacks going back to at least 2007. Now it has updated its initial infection vectors across the years. It is still active and using updated variants of its dangerous malware to target diplomats and militaries.
COMpfun malware controlled using HTTP status codes
- In early May 2020, Turla operators also used another variant of COMpfun malware that could control infected hosts using a mechanism that relies on HTTP status codes.
- This new COMpfun version has the HTTP status-based communication module in addition to bypass detection by avoiding to use known malicious traffic patterns.
- Turla APT uses COMpfun malware to harvest geolocation info and system data, to log window titles and all keystrokes on compromised systems, and to take screenshots that allow it to capture sensitive information from the victim's screen. It also has the ability to propagate to other (potentially air-gapped) devices.
Users should protect incoming mail against phishing and harmful software by using email-security solutions. Try to avoid suspicious attachments and scripts from untrusted senders. Use anti-malware software/firewall to detect and remove malicious malware.