ESET researchers have found that Turla, the notorious state-sponsored cyberespionage group, has added a fresh weapon to its arsenal that is being used in new campaigns targeting high valued targets including embassies and consulates in Eastern Europe.
This new tool attempts to dupe victims into installing malware that is ultimately aimed at siphoning off sensitive information from Turla’s targets.
Not only does the gang now bundle its backdoors together with a legitimate Flash Player installer but, compounding things further, it ensures that URLs and the IP addresses it uses appear to correspond to Adobe’s legitimate infrastructure.
ESET is confident, however, that Turla’s malware has not compromised any legitimate Flash Player updates, nor is it associated with any known Adobe product vulnerabilities.
Analysis of Adobe Flash abuse
Having monitored the Turla group closely for many years, ESET found that this new malware is not only packaged with a legitimate Flash Player installer but also appears to be from adobe.com. From the endpoint’s perspective, the remote IP address belongs to Akamai, the official Content Delivery Network (CDN) used by Adobe to distribute their legitimate Flash installer.
However, on closer inspection, ESET was able to see that the fake Flash installers were performing a GET request to extract sensitive information from the newly compromised systems. ESET telemetry can reveal that Turla installers have been exfiltrating information to get.adobe.com URLs since at least July 2016. Using legitimate domains for data exfiltration makes its detection in network traffic much harder for defenders, which highlights the Turla group‘s desire to remain as stealthy as possible.
“Turla operators have many sophisticated ways of tricking users into downloading seemingly authentic software, and are clever in how they hide their malicious traffic,” said Jean-Ian Boutin, senior malware researcher at ESET. “Even the most experienced users could be fooled into downloading a malicious file that looks as though it is from Adobe.com, since the URL and IP address mimics Adobe’s legitimate infrastructure. As all the downloads we saw were done over HTTP, we advise organizations to forbid the download of executable files over an unencrypted connection. This would significantly reduce the effectiveness of Turla’s attacks, as it is harder to intercept and modify encrypted traffic on the path between a machine and a remote server.
“Secondly, checking the file signature should confirm whether something suspicious is happening given that these malicious files are not signed and installers from Adobe are. Taking such steps should help users avoid falling victim to Turla’s latest campaign.”
Evidence of Turla involvement
ESET can be certain that this campaign is attributed to the Turla group for a number of reasons.
First, some fake Flash installers drop a backdoor referred to as Mosquito, which has already been detected as Turla malware.
Second, some of the Command and Control (C&C) servers linked to the dropped backdoors are using SATCOM IP addresses previously associated with Turla.
Lastly, this malware shares similarities with other malware families used by the Turla group.
