Tracking Turla New backdoor delivered via Armenian watering holes dump furniture outlet near me, the dump furniture store online shopping
Can an old APT learn new tricks? Turla’s TTPs are largely unchanged, but the group recently added a Python backdoor.
ESET researchers found a watering hole (aka strategic web compromise) operation targeting several high-profile Armenian websites. It relies on a fake Adobe Flash update lure and delivers two previously undocumented pieces of malware we have dubbed NetFlash and PyFlash.
Various aspects of this campaign lead us to attribute this operation to Turla, an infamous espionage group active for more than ten years. Its main targets include governmental and military organizations. We have previously reported multiple campaigns of this group including Mosquito and LightNeuron .
In this specific operation, Turla has compromised at least four Armenian websites, including two belonging to the government. Thus, it is likely the targets include government officials and politicians.
According to ESET telemetry, the following websites were compromised:
We have indications that these websites were compromised since at least the beginning of 2019. We notified the Armenian national CERT and shared our analysis with them before publication.
Since the end of November 2019, we noticed that skategirlchina[.]com was not delivering malicious scripts anymore. Thus, it is likely the Turla operators have suspended this watering hole operation.
If it is the first time the user’s browser executes the script, it will add an evercookie with a seemingly random MD5 value provided by the server, different at each execution of the script. The implementation of the evercookie is based on code available on GitHub . It uses multiple storage places such as the local database, local shared objects (Flash cookies), Silverlight storage, etc., to store the cookie value. In comparison to a regular cookie, it will be much more persistent as it won’t be deleted if the user just deletes the browser’s cookies.
This evercookie will be used to track whether the user visits one of the compromised websites again. When the user comes back for a second time, the previously stored MD5 value will be used to identify them.
Figure 2. Fingerprint script (malicious URLs defanged)
This iframe displays a fake Adobe Flash update warning to the user, shown in Figure 3, in order to trick them into downloading a malicious Flash installer.
Figure 4 is an overview of the compromise process from initially visiting one of the compromised Armenian websites to the delivery of a malicious payload.
Once the user executes the fake installer, it will execute both a Turla malware variant and a legitimate Adobe Flash installer. Thus, the user is likely to believe that the update warning was legitimate.
Prior to the end of August 2019, the victim would receive a RAR-SFX archive containing a legitimate Adobe Flash v14 installer and a second RAR-SFX archive. The latter contains the various components of a backdoor known as Skipper that has been previously attributed to Turla. It was documented in 2017 by researchers from Bitdefender , and a more recent version was documented by Telsy in May 2019.
Given that there are only minor changes between the documented versions and the most recent ones, we won’t provide a detailed analysis here.
At the end of August 2019, we noticed that the payload delivered by skategirlchina[.]com changed.
The new payload was a .NET application that dropped an installer for Adobe Flash v32 in %TEMP%\adobe.exe, and NetFlash (a .NET downloader) in %TEMP%\winhost.exe.
According to their compilation timestamps, the malware samples were compiled at the end of August 2019 and at the beginning on September 2019, right before being uploaded to the watering hole’s C&C server.
NetFlash downloads its second stage malware from a hardcoded URL and establishes persistence for this new backdoor using a Windows scheduled task. Figure 5 shows the NetFlash function that downloads the second stage malware, named PyFlash. We also encountered another NetFlash sample, likely compiled at the end of August 2019, with a different hardcoded C&C server: 134.209.222[.]206:15363.
This second stage backdoor is a py2exe executable. py2exe is a Python extension to convert a Python script into a standalone Windows executable. To our knowledge, this is the first time the Turla developers have used the Python language in a backdoor.
The backdoor communicates with its hardcoded C&C server via HTTP. The C&C URL and other parameters such as the AES key and IV used to encrypt all network communications are specified at the beginning of the script, as shown in Figure 6.
The main function of the script, shown in Figure 7, sends information about the machine to the C&C server. This is the output of the functions from the commands list seen in Figure 6. It includes OS-related commands (systeminfo, tasklist) and network-related commands (ipconfig, getmac, arp).
The C&C server can also send backdoor commands in JSON format. The commands implemented in this version of PyFlash are:
Then, the output of the command is sent back to the operators, encrypted with AES, via a POST request.
Turla is still using watering hole attacks as one of its initial access tactics. Interestingly, this campaign relies on a well-known social engineering trick – a fake Adobe Flash update warning – in order to induce the user to download and install malware.
On the other hand, the payload has changed, probably in order to evade detection, as Skipper has been known for many years. They switched to NetFlash, which installs a backdoor we call PyFlash and that is developed in the Python language.
We will continue monitoring new Turla activities and will publish relevant information on our blog. For any inquiries, contact us as email@example.com . Indicators of Compromise can also be found on our GitHub repository.
dump furniture outlet near me the dump furniture store online shopping