Researchers have discovered a previously undocumented backdoor and document stealer, which they have linked to the Russian-speaking Turla advanced persistent threat (APT) espionage group.
The malware, which researchers call “Crutch,” is able to bypass security measures by abusing legitimate tools – including the file-sharing service Dropbox – in order to hide behind normal network traffic. Researchers said that the Crutch toolset has been designed to exfiltrate sensitive documents and other files to Dropbox accounts, which Turla operators control.
“[Crutch] was used from 2015 to, at least, early 2020,” said researchers with ESET in a Wednesday analysis. “We have seen Crutch on the network of a Ministry of Foreign Affairs in a country of the European Union, suggesting that this malware family is only used against very specific targets, as is common for many Turla tools.”
Upon further investigation of the cyberattack on the Ministry of Foreign Affairs, researchers found uploaded .zip files to the operator-controlled Dropbox accounts. These .zip files contained commands for the backdoor, which were uploaded to Dropbox by the operators. The backdoor then would read and execute these commands. These commands set the stage for the staging, compression and exfiltration of documents and various files – including the execution of one tongue-in-cheek command: “mkdir %temp%\Illbeback.”
“We were able to capture some of the commands sent by the operators to several Crutch v3 instances, which is helpful to understand the goal of the operation,” they said. “The operators were mainly doing reconnaissance, lateral movement and espionage.”
Updated Variants
Researchers don’t think Crutch is a first-stage backdoor; instead, it is deployed after the attackers already had initially compromised a victim network. They have previously observed first-stage attack vectors (before the deployment of Crutch) that include a first-stage implant, such as the Skipper implant or the PowerShell Empire post-exploitation agent.
In its earliest iterations (used from 2015 up to mid-2019), the Crutch architecture included a backdoor that communicated with Dropbox, as well as a second main binary that targeted files on any removable drives that may be on the system. This binary searched for files with specific extensions (including .pdf, .rtf, .doc, .docx) on removable drives and then staged the files in an encrypted archive.
Then, in a more recent version of Crutch discovered in July 2019, attackers updated the second main binary, so it could now automatically monitor local drives (as well as removable drives).
“The main difference is that it no longer supports backdoor commands. On the other hand, it can automatically upload the files found on local and removable drives to Dropbox storage by using the Windows version of the Wget utility,” said researchers.
Turla Attribution
ESET connected Crutch to the Turla APT due to what researchers called “strong links” between a Crutch dropper from 2016 and a second-stage backdoor used by Turla from 2016 to 2017 (called Gazer, also known as WhiteBear).
Researchers said that both samples were dropped on the same machine with a five-day interval in September 2017, and they both drop CAB files containing the various malware components. The loaders that were installed by the samples also share clearly related PDB paths, and both decrypt their payloads using the same RC4 key.
“Given these elements and that Turla malware families are not known to be shared among different groups, we believe that Crutch is a malware family that is part of the Turla arsenal,” said researchers.
Turla, an infamous cyberespionage group, has been active for more than 10 years. The APT group has targeted many governments worldwide, especially diplomatic entities, and has constantly developed new malware families. This has included an updated version of the ComRAT remote-access trojan (RAT) and a recently updated trio of implants.
“Crutch shows that the group is not short of new or currently undocumented backdoors,” said researchers. “This discovery further strengthens the perception that the Turla group has considerable resources to operate such a large and diverse arsenal.”
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and other security experts, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.