HQ/EMEAFind out how we can help your business
The Russian-backed threat group, Turla, targets the Ukrainian and Eastern European defence sector with a new backdoor. Based on reports, the attackers used a dot net-based backdoor dubbed DeliveryCheck that could deliver next-stage payloads.
CERT-UA coordinates with other threat intelligence teams to analyse the newly discovered campaign. Their investigations also led to the attribution of the current attack to a Russian state-sponsored threat group, Turla.
Turla group dons several names and became famous for being once Russia’s lethal cybercriminal group.
According to an investigation, Turla is known by several names, such as Secret Blizzard, Uroburos, Iron Hunter, Venomous Bear, and Waterbug. However, the most notorious aspect of this group is its connection with Russia’s Federal Security Service (FSB).
Researchers stated that the Turla group spreads the DeliveryCheck backdoor through email that contains malicious macros. The attack persists via a scheduled task that downloads and deploys in memory.
In addition, it contacts a command-and-control server to retrieve tasks, which could include the deployment of arbitrary payloads attached in XSLT stylesheets.
In some instances, Turla’s successful intrusion includes the distribution of their signature implant called Kazuar. This implant could steal app configuration files, event logs, and various data from web browsers.
However, the researchers believe that the primary objective of Turla’s campaign is to exfiltrate messages from the Signal messaging app for Windows. This process could allow them to access critical information on the targeted systems, such as sensitive conversations, images, or documents.
An essential aspect of the new DeliveryCheck backdoor is that it could infiltrate Microsoft Exchange servers to install a server-side component using PowerShell Desired State Configuration.
DSC is a PowerShell management platform that aids admins in automating the configuration of Windows systems. Furthermore, DSC could generate a Managed Object Format archive that contains a PowerShell script that loads an embedded dot net payload into memory. This tactic could effectively turn a legitimate server into a malware command-and-control centre.
This new malware attack was disclosed after the Ukrainian Cyber Police took down a massive bot farm with over 100 individuals allegedly spreading hostile propaganda to justify the Russian invasion. The attackers leaked the personal information owned by the Ukrainian citizens and engaged in multiple fraud schemes to help Russia in this geopolitical conflict.
