The advanced persistent threat (APT) known as Turla is targeting government organizations using custom malware, including an updated trio of implants that give the group persistence through overlapping backdoor access.
Russia-tied Turla (a.k.a. Ouroboros, Snake, Venomous Bear or Waterbug) is a cyber-espionage group that’s been around for more than a decade. It’s known for its complex collection of malware and interesting command-and-control (C2) implementations. It targets governmental, military and diplomatic targets.
Accenture researchers observed a recent campaign against a foreign government in Europe that ran between June and October, which featured three legacy weapons, all with significant updates. They worked together as a kind of multi-layered threat toolkit.
One of the updated tools is the HyperStack remote procedure call (RPC)-based backdoor (named after the filename that its authors gave it). Accenture has tied it to the group for the first time, thanks to its use alongside the other two tools seen in the campaign: Known Turla second-stage remote-access trojans (RATs), Kazuar and Carbon.
“The RATs transmit the command-execution results and exfiltrate data from the victim’s network, while the RPC-based backdoors [including HyperStack] use the RPC protocol to perform lateral movement and issue and receive commands on other machines in the local network,” according to an Accenture analysis, released on Wednesday. “These tools often include several layers of obfuscation and defense-evasion techniques.”
The upgrades seen in the campaign largely revolved around creating built-in redundancies for remote communication. Turla used disparate C2 configurations, to allow different re-entry points should one of them be blocked.
“[These included] novel [C2] configurations for Turla’s Carbon and Kazuar [RATs] on the same victim network,” according to the analysis. “The Kazuar instances varied in configuration between using external C2 nodes off the victim network and internal nodes on the affected network, and the Carbon instance had been updated to include a Pastebin project to receive encrypted tasks alongside its traditional HTTP C2 infrastructure.”
The HyperStack backdoor began life in 2018, but it received a major update in September that allowed Accenture researchers to tie it back to Turla.
“The updated functionality…appears to be inspired by the RPC backdoors previously publicly disclosed by ESET and Symantec researchers, as well as with the Carbon backdoor,” they explained. “Based on these similarities, we assess with high confidence that HyperStack is a custom Turla backdoor.”
The new version of HyperStack uses named pipes to execute RPC calls from a controller to a device hosting the HyperStack client. It leverages IPC$, which is a share function that facilitates inter-process communication (IPC) by exposing named pipes to write to or read from.
“To move laterally, the implant tries to connect to another remote device’s IPC$ share, either using a null session or default credentials,” explained Accenture researchers. “If the implant’s connection to the IPC$ is successful, the implant can forward RPC commands from the controller to the remote device, and likely has the capability to copy itself onto the remote device.”
Meanwhile, a Kazuar sample used in the observed European campaign that Accenture analyzed in mid-September was configured to receive commands via Uniform Resource Identifiers (URI). These pointed to internal C2 nodes in the victim government’s network.
This Kazuar configuration acted alongside another sample, analyzed in early October.
“Based on references to the internal C2 node, the October sample likely acts as a transfer agent used to proxy commands from the remote Turla operators to the Kazuar instances on internal nodes in the network, via an internet-facing shared network location,” according to Accenture. “This set-up allows Turla operators to communicate with Kazuar-infected machines in the victim network that are not accessible remotely.”
Yet another Kazuar sample found on the victim network was configured to communicate directly with a C2 server located outside the victim network, hosted on a compromised legitimate website. This was used by Turla to proxy commands and exfiltrate data to Turla backend infrastructure, researchers said.
Kazuar is a multiplatform trojan discovered in 2017 that allows Turla to remotely load additional plugins to increase its capabilities. It exposes these through an Application Programming Interface (API) to a built-in web server, and it has code lineage that can be traced back to at least 2005, researchers have said. For a while it was believed to have been the successor to Carbon.
The aforementioned legacy tool Carbon was also updated for the observed campaign. Carbon is a modular backdoor framework with advanced peer-to-peer capability that Turla has used for several years, well before Kazuar hit the scene.
In June, an updated sample made an appearance which combined the Turla-owned C2 infrastructure with tasks served from Pastebin, researchers found. The installer for the sample contained a configuration file with URLs for compromised web servers hosting a web shell that transmits commands and exfiltrates data from the victim network – as expected. But researchers noted that it also contained a parameter labeled [RENDEZVOUS_POINT], with a URL for a Pastebin project.
“When accessing the Pastebin URL, an encrypted blob is downloaded that requires a corresponding RSA private key from the configuration file,” researchers explained. “The configuration file analyzed did not contain the RSA private key and therefore we were unable to decrypt the contents of the Pastebin link. We assess the decrypted blob was likely a task for the Carbon instance.”
The use of a legitimate web service like Pastebin for C2 activities is an ongoing trend among APTs, the researchers noted, for a few different reasons.
“[For one], web services allow cyber-espionage groups’ malicious network traffic to blend easily with legitimate network traffic,” according to researchers. “Also, threat groups can easily change or create new infrastructure which makes it difficult for defenders to shut down or sinkhole their infrastructure. [And], using web services complicates attribution since the C2 infrastructure is not owned by the threat group.”
Turla will likely continue to use its legacy tools, with upgrades, to compromise and maintain long term access to its victims, researchers said.
“This combination of tools has served Turla well, as some of their current backdoors use code that dates back to 2005,” Accenture researchers noted. “The threat group will likely continue to maintain and rely on this ecosystem, and iterations of it, as long as the group targets Windows-based networks.”