»The Snake keeps reinventing itself«
2018-10-16, 15:15–16:00, Europe

In this talk, we will survey some new components of the infamous Turla group. Through our multi-year tracking, we selected for discussion components that were never analyzed publicly as well as some emerging TTPs for this group.

= CFP HACK.LU 2018:

== Biography

.Jean-Ian Boutin

Jean-Ian Boutin is a senior malware researcher in the Security Intelligence program at ESET. In his position, he is responsible for investigating trends in malware and finding effective techniques to counter new threats. He has presented at several security conferences, including RECON, Virus Bulletin, CARO and ZeroNights. Jean-Ian completed his Master's degree in computer engineering at Concordia University in Montreal in 2009. His main interests include investigation of financially motivated threat actors and state-sponsored espionage groups. He has also participated in several large botnet takedown operations in conjunction with law enforcement and industry partners.

.Matthieu Faou

Matthieu Faou is a malware researcher at ESET where he performs in-depth analysis of malware. He finished his Master’s degree in computer science at École Polytechnique de Montréal and at École des Mines de Nancy in 2016. In the past, he has presented at conferences such as Virus Bulletin, Recon Brussels or Botconf.

== Abstract/Paper

After having tracked Turla's activities for several years, we now have a unique understanding of their Tools, Tactics and Procedures (TTPs). In this talk, we would like to share this knowledge to help defenders protect their networks. We will also present an in-depth analysis of undocumented components, such as the Outlook backdoor, allegedly used in the early-2018 attack against the German government.

Turla is an espionage group known for targeting governments, diplomats or militaries all around the world. One of their first documented campaign against the US military go back ten years ago and they are still very active. During this presentation, we will discuss some recent public cases involving Turla operators. This group targets very specific group of people and, as such, use advanced targeting techniques such as spear phishing and watering hole to go after them.

As one of the top APT groups, it has developed a broad range of tools and techniques to breach and stay persistent on a network. We will first detail their methodology to move in a network and to have a persistent access to the different machines even after the cleaning of the malicious files.

Then, the analysis of an interesting piece of malware, an Outlook backdoor leveraging the MAPI interface, allegedly used against the German government in early 2018 will be presented. This is a full-feature backdoor that is able to work independently from any other Turla components. The commands are received through specially crafted PDF attachments that are then decoded and interpreted by the backdoor. It also exfiltrates highly-sensitive data such as the outgoing emails sent by the infected user. The e-mail address used for exfiltration was registered at a popular European free email provider. This unusual way of communication for a backdoor helps the attackers to blend in the normal network traffic and bypass security monitoring solutions. We will also present the older versions of this backdoor, as we were able to trace it back as early as 2013.

Regarding infection vectors, the group also use interesting techniques to trick the users. We found evidence that, from the endpoint perspective, a Turla malware was downloaded over HTTP from the legitimate Adobe domain used to distribute Flash. The IP addresses belong to Akamai which is the CDN Adobe uses. As the same addresses are also used to distribute legitimate Flash installers, it is not a simple DNS hijacking. We will discuss the different possibilities that could lead to this kind of behavior. After some discussions with the Adobe security team who confirm they were not breached, we quickly discarded the possibility of a compromise of their website. Thus, the attacks range from a local MitM attack to the collusion with an ISP (or its compromise). We will also compare these possibilities with other attacks we have already seen in the wild.

Finally, we will discuss recent updates regarding the early stages of infection. We have analysed the 4th version of ComRAT which is in the wild for some months. This backdoor is one of Turla's oldest, a direct descendant of Agent.BTZ which was used more than ten years ago. We will outline the many advances that were introduced in this new version and the constant updates they are implementing. We will also show they have partially switched to the use of more generic tools, such as Metasploit, for the first stage of infection. Previously, they were known for developing their own custom malware for all the stages of infection.