Askhat -

Turla deploying 'secondary' backdoor in state-sponsored attacks

Cisco Talos said hackers connected to the Russian APT Turla are using a new piece of malware to get persistent access on infected networks in the U.S., Germany and Afghanistan.

Threat actors associated with the Russia-based Turla advanced persistent threat group are utilizing a new piece of remote access software to infect PCs as part of state-sponsored hacking campaigns against carefully selected targets.

According to researchers with Cisco Talos, the Kremlin-backed APT crew Turla has been spotted using a relatively unsophisticated piece of backdoor malware that allows the criminals to get back into machines that had already been compromised but may have been patched. Infections have been detected on machines in Afghanistan, Germany and the US.

"This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed," wrote researcher Holger Unterbrink.

"It could also be used as a second-stage dropper to infect the system with additional malware."

According to Cisco Talos, the new malware sample is not intended to be a primary piece of the Turla APT operation, but rather it functions as a sort of failsafe for the hackers should their activity be spotted. The malware itself is fairly simple, comprising of a relatively small amount of code and little in the way of encryption or authentication.

"This is a last chance backdoor so it's likely something that would be dropped along with additional malware to allow the adversary access into the compromised system should the initial malware infection be cleaned up," Cisco said in a statement to SearchSecurity.

"This is a rather simple backdoor that could have been deployed by any of the known techniques usually used by this threat actor."

Cisco Talos said that it does not yet know how the Turla attackers are initially breaking into the machines. The new backdoor is dropped alongside a host of other malware payloads that allow the Turla crew to harvest data from their targets.

Adversaries like Turla often use sophisticated malware, but they also often use what is good enough to fly under the radar.
Holger UnterbrinkSecurity researcher, Cisco Talos

"It appears to be targeted with us only seeing attempts in a handful of countries," the company said.

"However, since there are victims in multiple countries, it did have a wider net than other highly targeted operations."

Unterbrink noted that while the new backdoor malware might not be particularly complex or sophisticated, it is still a dangerous component of the APT operation and is something administrators should be on the lookout for.

"Turla has been around for many years as a state-sponsored actor and will likely not go away soon," he wrote. "Adversaries like Turla often use sophisticated malware, but they also often use what is good enough to fly under the radar."

Turla has been active for several years and has been implicated in a number of high-profile attacks, including last year's breach of the San Francisco International Airport. The blog post also noted connections between Turla's Kazuar malware and Sunburst, the backdoor used in the SolarWinds supply chain attacks.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing