ESET: Turla Mosquito backdoor used in Eastern Europe
Turla is one of the most well-known cyber groups specializing in espionage. In its arsenal, an extensive set of tools , the most advanced of which are used to set the priority for attacking machines. The espionage platform is primarily focused on Windows, but it can be used for macOS and Linux using various backdoors and rootkits.
Not so long ago, we discovered a new method of compromising workstations that Turla uses. This technique is used in attacks aimed at employees of embassies and consulates of the countries of the former Soviet Union.
For several years, Turla has used fake installers of the Adobe Flash Player to compromise victims. Such a vector does not require complex exploits, success depends on the degree of trustfulness of the user who is persuaded to install the fake.
')
In recent months, we have seen unusual new behavior that leads to infection with one of the Turla backdoors. It is not only packaged with a real Flash installer, but also looks like it’s being downloaded from adobe.com. From the end user's point of view, the remote IP address belongs to Akamai, the official content distribution network (CDN) used by Adobe to distribute its legitimate Flash Player installers. After examining the process, we found out that the fake Flash installers (including the Snake backdoor installer for macOS) performed a GET request at get.adobe.com URLs to exfiltrate data about new compromised machines. According to our telemetry, the IP address is the legitimate IP address used by Adobe.
In this report, we describe the methods that could lead to similar malicious behavior. According to our data, the malware did not use legitimate updates of Adobe Flash Player and is not associated with known vulnerabilities of Adobe products. We can state with confidence that Adobe has not been compromised. The attackers only used the brand to trick users.
We also discovered that the Turla group used a web application hosted on Google Apps Script as a command server (C & C) for JavaScript-malware, which was downloaded by some versions of the fake Flash installer. Obviously, the attackers tend to work as inconspicuously as possible, disguising their activity in the network traffic of the target organizations.
According to telemetry, there is evidence that Turla programs have transmitted information to the get.adobe.com URL at least since July 2016. The victims are on the territory of the former USSR. As for Gazer , another malware developed by Turla, its targets are consulates and embassies of Eastern European countries. We have seen several infections in private companies, but it is unlikely that they were the main targets of the attack. Finally, some of the victims are infected with other malware that Turla is the author, including ComRAT or Gazer.
Before analyzing the unusual network connections, we will explain why we attribute this campaign to Turla.
First, some of the fake installers Adobe Flash Player downloads the Mosquito backdoor, which some security companies associate with Turla.
Secondly, some C & C servers associated with hosted backdoors use or have previously used Turla-related SATCOM IP addresses.
Thirdly, malware has common features with other tools of the Turla group. The similarity includes an identical obfuscation of lines (putting lines on the stack and applying XOR with 0x55) and the same API resolution.
These elements allow you to determine with certainty the connection of the campaign with Turla.
Using Flash fake installers is not a new tactic for Turla. So, experts documented this behavior in 2014. However, in our opinion, the malware is first downloaded via HTTP from legitimate URLs and Adobe IP. This could be misleading, even for experienced users.
Since the beginning of August 2016, we have found several attempts to download the Turla installer from the address admdownload.adobe.com.
At first glance it seemed that we would see a typical trick consisting in setting the Host header of the HTTP request, while the TCP socket is set to the IP address of the C & C server. But after deep analysis, we realized that the IP address is legitimate and belongs to Akamai, a large content delivery network (CDN) used by Adobe to distribute the legitimate Flash installer.
Even if the executable file is loaded from a legitimate URL (for example,
It is important to note that all download attempts found in the collected data were made via HTTP, not HTTPS. This allows you to perform a wide range of attacks on the way from the user's machine to Akamai servers.
The following section discusses possible compromise scenarios. The question of what actually happened remains open. We would appreciate feedback if you have additional information.
Figure 1 presents hypotheses that could explain how to force a user, possibly visiting the legitimate Adobe website via HTTP, to download the Turla malware.
Figure 1. Possible interception points on the way between the machine of the potential victim and the Adobe servers
We quickly eliminated the unauthorized DNS server hypothesis, since the IP address corresponds to the servers used by Adobe to distribute Flash. After discussing with Adobe and based on their investigations, scenario 5 seems unlikely, since the attackers did not compromise the Flash Player download site . Thus, the following options remain:
1) an attack with a “man in the middle” (MitM) using a compromised machine in the local network,
2) a compromised network gateway or proxy organization,
3) MitM attack at the level of the Internet service provider (ISP),
4) attack on BGP routers ( Border Gateway Protocol hijacking ) to redirect traffic to Turla-controlled servers.
Turla operators could use the already compromised machine on the victim’s network to carry out a local MitM attack. With ARP spoofing, they could redirect traffic from the target machine to the compromised one on the fly. And although we are not aware of the availability of such tools in the Turla arsenal, they are not difficult to develop, given the technical capabilities of this group.
However, we found many victims in different organizations. This means that Turla would have to compromise at least one computer in each of these organizations, more precisely, a computer in the subnet of a preferred target.
This attack is similar to the previous one, but it is much more interesting for attackers - they can intercept traffic from the entire organization without ARP spoofing, since gateways and proxies usually see all incoming and outgoing traffic between the intranet and the Internet. We do not know about the presence or absence of a tool for solving this problem with Turla, but their Uroburos rootkit has the ability to analyze packets. It can be installed on servers and used as a proxy to distribute tasks for infected machines that do not have a public IP address . Turla has sufficient expertise and resources to modify the Uroburos code to intercept traffic on the fly and introduce malicious components, or otherwise change unencrypted content.
If traffic is not intercepted before leaving the organization’s internal network, it changes later, on the way to Adobe servers. The main access point on this segment are Internet providers. Earlier in ESET announced the spread of FinFisher spyware through the introduction of packages at the ISP level.
All victims known to us are in the countries of the former USSR. They use the services of at least four Internet service providers. Thus, this scenario assumes that Turla has the ability to monitor traffic in different countries, or data transmission channels.
If the traffic is not changed by the service provider and does not reach the Adobe servers, it means that it is redirected to another server controlled by Turla operators. This can be done by performing an attack on BGP routers in one of the following ways.
On the one hand, Turla operators could use the Autonomous System (AS) to declare a prefix belonging to adobe.com. Thus, traffic sent to adobe.com from places close to the controlled Turla AS will be sent to their server. An example of such malicious activity was analyzed by RIPE. However, this would be quickly noticed in Adobe or in a service that performs BGP monitoring. In addition, we checked RIPEstat statistics and did not notice any suspicious route announcements for the Adobe IP addresses used in this campaign.
On the other hand, Turla operators could use their AS to advertise a shorter path than any other AS to Adobe servers. Thus, the traffic would also go through their routers and could be intercepted and changed in real time. However, most of the traffic to Adobe servers would be redirected to an unauthorized router - it is difficult to disguise such tactics and there is a chance that after launching in August 2016, the campaign would soon be discovered.
Of the five scenarios presented in Figure 1, we considered only four, as we are sure that Adobe was not compromised. The attack on BGP routers and the MitM attack at the service provider level are more difficult than others. We assume that the Turla group uses a special tool installed on the local gateways of the target organizations, which allows you to intercept and modify traffic before it leaves the intranet.
After the user has downloaded and launched the fake Flash installer, the compromise process starts. It starts with the introduction of the Turla backdoor. It may be Mosquito, malware for 32-bit Windows, described in section 4; a malicious javascript file that communicates with a web application on the Google Apps Script service, described in section 5; or unknown file downloaded from Adobe fake URL:
In the latter case, since there is no such URL on the Adobe server, to transfer content through it to the Turla group, you need something like MitM on the path between compromised machines and Adobe servers.
Next, a query is executed that displays information about the new compromised machine. This is a GET request at
Figure 2. Code making a request to the fake URL get.adobe.com
The base64-encrypted data contains confidential information about the victim’s machine. It would be strange if she actually went to the Adobe server. Figure 3 is an example of a decoded report. The data includes a unique ID (the last 8 bytes of the fake Flash installer executable, as shown in Figure 4), the username, the list of installed security products, and the ARP table.
Figure 3. Installation report sent to the dummy get.adobe.com URL
Figure 4. Unique ID at the end of the installer
Interestingly, the Snake installer for macOS (the backdoor associated with Turla) uses the same URL as in Figure 5. The information transferred is somewhat different because it contains only the user name and the device name, although it is still encoded in base64. However, this behavior was not documented by Fox-IT when publishing the analysis.
Figure 5. The code that executes the request for the substitute URL URL get.adobe.com in the Snake installer for macOS
Finally, the fake installer injects or downloads, and then launches the legitimate Flash Player application. The legitimate installer is either built into the fake installer, or downloaded via the following path to the Google Drive URL:
In this section, we describe samples found in-the-wild, mainly in 2017. We found evidence that the campaign has been going on for several years, and the samples of 2017 are the result of the evolution of the backdoor into the file
It comes as a fake Flash installer and is bundled with two additional components that are later dropped to disk. As explained above, we found several users who downloaded the Flash fake installer from the URL and IP used by Adobe to distribute the legitimate installer.
In new versions, the installer is always obfuscated, as it seems to us, with the help of encryption. Figure 6 shows an example of a function obfuscated with this tool.
Figure 6. Obfuscated function
First, this cryptographer widely uses fuzzy predicates together with arithmetic operations. For example, an obfuscated function counts a number from hard-coded values ​​and then compares it in magnitude with another hard-coded value. Thus, during each execution, the process will be the same, but emulation is required to determine the correct path. Therefore, the code becomes too complicated for analysis both for analysts and for automated security software algorithms. This can slow down the emulation to such an extent that the object will not be scanned due to time constraints, and as a result, the specified (if not obfuscated) malware will not be detected.
Second, after the first deobfuscation step, a call is made to the Win32 API
Thirdly, the present code is divided into several fragments, which are decrypted using a special function and are ordered at run time to create PE in memory. It is then performed using the function of the PE bootloader encoder. This PE bootloader contains several debug lines, as shown in Figure 7.
Figure 7. Debug strings in PE loader function
After decryption, the installer searches for the
We also saw earlier versions of the installer, which only downloaded one file with the extension
He writes a simple unencrypted log file in
Figure 8. Files created in the random% child directory% APPDATA%
It then provides persistence using the Run registry key, or COM interception . If the display name of the antivirus obtained by Windows Management Instrumentation (WMI) corresponds to Total Security, then it adds the entry
Otherwise, it replaces the registry entry in
Figure 9. Registry modification for sustainability
The rest of the CLSIDs are hardcoded in a binary file, but we did not see them being used. The full list is available in the section with compromise indicators.
As explained in the previous section, the installer sends some information, such as a unique sample ID, username, or ARP table, to the Adobe
Before running the main backdoor, the installer creates a
A launcher called
Figure 10. Launch pseudocode
However, he uses some tricks to load the intercepted library and return to the right address. The process is described below:
1. Get the original return address after a legitimate call to
Figure 11. Address lookup after calling LoadLibrary
2. Allocate RWX memory containing the following values:
Figure 12. Memory Allocation
3. Switch to the capture function by modifying the address of the
4. In the interception function:
a. function call, which is responsible for loading
b.
c. go to the original address of the reply before interception.
Since the original DLL is loaded, the user will most likely not notice that the backdoor is running.
In early versions, in which the loader and backdoor functions are combined in one file,
Figure 13. Loader and backdoor in one library
The main backdoor of this campaign
Figure 14. In the DLL there is no EXPORT Address Table in the .reloc section
In the
1. It creates an
2. Copies this structure after moving the partition located at the end of the PE image in memory
3. Changes the header field of PE containing the Relative Virtual Address (RVA) of the export table to the address of the newly created export table
With these edits in the memory library, there is an export called
Figure 15. Newly created export table
Figure 16. New export name
Figure 17. Export table patching process
First, the
Secondly, CommanderDLL configures some internal structures and stores configuration values ​​in the registry. Table 1 describes the various registry values ​​that are stored in the
Table 1. Backdoor registry values
All registry values, except for the layout record, are encrypted using a special algorithm, which is described in Section 4.3.2.
Thirdly, the additional address of the C & C server is loaded from a document stored in Google Docs (https://docs.google [.] Com / uc? Authuser = 0 & id = 0B_wY-Tu90pbjTDllRENWNkNma0k & export = download) . It is encrypted using the algorithm described in 4.3.2.
The backdoor uses a special encryption algorithm.Each byte of plain text is added modulo 2 in a stream generated by a function similar to the Blum Blum Shub algorithm . For encryption or decryption, the key and the module are transferred to the encryption function.
Different samples use different keys and modules. Some are hardcoded, some are generated during execution. Table 2 describes the various keys and modules used by malware.
Table 2. Encryption keys and modules
The program maintains a log file called
Figure 18. Log file structure
Figure 19. Log file start
The main backdoor loop is responsible for managing data exchange with the C & C server and executing the commands it sends. At the beginning of each of them, it is in an inactive state for a random time period, but usually about 12 minutes.
Request to server always uses the URL on the same scheme:
Google Chrome 41 uses this default value. The parameter structure is
Figure 20. The structure of the request to the C & C server –GET request with data in the id parameter
Previous sample is the case where the
In all these cases, the encryption key is the first DWORD of the
Figure 21. Selecting the request
The original request contains general information on the compromised machine, such as the result of commands
The C & C server then issues one of the instruction sets as a response. The structure of this answer is shown in Figure 21. The packet is fully encrypted (except for the first four bytes) by the same algorithm borrowed from the Blum Blum Shub, described in section 4.3.2, which uses the first DWORD as the key and 0x7DFDC101 for the module. Each instruction set is encrypted separately using 0x3EB13 for the key and 0x7DFDC101 for the module.
Figure 22. The structure of the C & C response package.
Backdoor can execute some predefined actions, hard-coded in a binary file. Table 3 provides a brief description of the available commands.
Table 3. Description of available backdoor commands
In some analyzed samples, a backdoor can also run PowerShell scripts.
Some fake Flash installers deliver two backdoors to JavaScript instead of Mosquito. These files are flushed to a folder
The first interacts with a web application hosted on the Google Apps Script service at:
The second JavaScript file reads
The campaign shows that Turla Cybergroups has many tools for masking malicious traffic under legitimate. The methods used can be misleading even by experienced users. Using HTTPs could reduce the effectiveness of such attacks — in this protocol it is more difficult to intercept and replace encrypted traffic on the way from the machine to the remote server. File signature verification should be suspicious, because the files used by Turla are not signed, unlike Adobe installers.
In addition, the new campaign points to the interest of Turla in the staff of consulates and embassies located in Eastern European countries. The group makes a lot of effort to ensure access to these sources of information.
For questions related to the campaign, contact threatintel@eset.com.
Three files with the same name, but different extensions (.tlb, .pdb and .tnl) in the folder
Not so long ago, we discovered a new method of compromising workstations that Turla uses. This technique is used in attacks aimed at employees of embassies and consulates of the countries of the former Soviet Union.
1. Overview
For several years, Turla has used fake installers of the Adobe Flash Player to compromise victims. Such a vector does not require complex exploits, success depends on the degree of trustfulness of the user who is persuaded to install the fake.
')
In recent months, we have seen unusual new behavior that leads to infection with one of the Turla backdoors. It is not only packaged with a real Flash installer, but also looks like it’s being downloaded from adobe.com. From the end user's point of view, the remote IP address belongs to Akamai, the official content distribution network (CDN) used by Adobe to distribute its legitimate Flash Player installers. After examining the process, we found out that the fake Flash installers (including the Snake backdoor installer for macOS) performed a GET request at get.adobe.com URLs to exfiltrate data about new compromised machines. According to our telemetry, the IP address is the legitimate IP address used by Adobe.
In this report, we describe the methods that could lead to similar malicious behavior. According to our data, the malware did not use legitimate updates of Adobe Flash Player and is not associated with known vulnerabilities of Adobe products. We can state with confidence that Adobe has not been compromised. The attackers only used the brand to trick users.
We also discovered that the Turla group used a web application hosted on Google Apps Script as a command server (C & C) for JavaScript-malware, which was downloaded by some versions of the fake Flash installer. Obviously, the attackers tend to work as inconspicuously as possible, disguising their activity in the network traffic of the target organizations.
According to telemetry, there is evidence that Turla programs have transmitted information to the get.adobe.com URL at least since July 2016. The victims are on the territory of the former USSR. As for Gazer , another malware developed by Turla, its targets are consulates and embassies of Eastern European countries. We have seen several infections in private companies, but it is unlikely that they were the main targets of the attack. Finally, some of the victims are infected with other malware that Turla is the author, including ComRAT or Gazer.
2. Why do we associate this campaign with a group of Turla?
Before analyzing the unusual network connections, we will explain why we attribute this campaign to Turla.
First, some of the fake installers Adobe Flash Player downloads the Mosquito backdoor, which some security companies associate with Turla.
Secondly, some C & C servers associated with hosted backdoors use or have previously used Turla-related SATCOM IP addresses.
Thirdly, malware has common features with other tools of the Turla group. The similarity includes an identical obfuscation of lines (putting lines on the stack and applying XOR with 0x55) and the same API resolution.
These elements allow you to determine with certainty the connection of the campaign with Turla.
3. The illegitimate use of Adobe Flash and domains associated with Flash
Using Flash fake installers is not a new tactic for Turla. So, experts documented this behavior in 2014. However, in our opinion, the malware is first downloaded via HTTP from legitimate URLs and Adobe IP. This could be misleading, even for experienced users.
3.1. Imitation of distribution through adobe.com
Since the beginning of August 2016, we have found several attempts to download the Turla installer from the address admdownload.adobe.com.
At first glance it seemed that we would see a typical trick consisting in setting the Host header of the HTTP request, while the TCP socket is set to the IP address of the C & C server. But after deep analysis, we realized that the IP address is legitimate and belongs to Akamai, a large content delivery network (CDN) used by Adobe to distribute the legitimate Flash installer.
Even if the executable file is loaded from a legitimate URL (for example,
http://admdownload.adobe.com/bin/live/flashplayer27_xa_install.exe ), the referrer field looks changed. We saw that the field was changed to http://get.adobe.com/flashplayer/download/?installer=Flash_Player , which is not similar to the URL pattern used by Adobe, which caused a 404 error when requested.It is important to note that all download attempts found in the collected data were made via HTTP, not HTTPS. This allows you to perform a wide range of attacks on the way from the user's machine to Akamai servers.
The following section discusses possible compromise scenarios. The question of what actually happened remains open. We would appreciate feedback if you have additional information.
3.2. Compromise hypotheses
Figure 1 presents hypotheses that could explain how to force a user, possibly visiting the legitimate Adobe website via HTTP, to download the Turla malware.
Figure 1. Possible interception points on the way between the machine of the potential victim and the Adobe servers
We quickly eliminated the unauthorized DNS server hypothesis, since the IP address corresponds to the servers used by Adobe to distribute Flash. After discussing with Adobe and based on their investigations, scenario 5 seems unlikely, since the attackers did not compromise the Flash Player download site . Thus, the following options remain:
1) an attack with a “man in the middle” (MitM) using a compromised machine in the local network,
2) a compromised network gateway or proxy organization,
3) MitM attack at the level of the Internet service provider (ISP),
4) attack on BGP routers ( Border Gateway Protocol hijacking ) to redirect traffic to Turla-controlled servers.
3.2.1. Local MitM Attack
Turla operators could use the already compromised machine on the victim’s network to carry out a local MitM attack. With ARP spoofing, they could redirect traffic from the target machine to the compromised one on the fly. And although we are not aware of the availability of such tools in the Turla arsenal, they are not difficult to develop, given the technical capabilities of this group.
However, we found many victims in different organizations. This means that Turla would have to compromise at least one computer in each of these organizations, more precisely, a computer in the subnet of a preferred target.
3.2.2. Compromised gateway
This attack is similar to the previous one, but it is much more interesting for attackers - they can intercept traffic from the entire organization without ARP spoofing, since gateways and proxies usually see all incoming and outgoing traffic between the intranet and the Internet. We do not know about the presence or absence of a tool for solving this problem with Turla, but their Uroburos rootkit has the ability to analyze packets. It can be installed on servers and used as a proxy to distribute tasks for infected machines that do not have a public IP address . Turla has sufficient expertise and resources to modify the Uroburos code to intercept traffic on the fly and introduce malicious components, or otherwise change unencrypted content.
3.2.3. MitM provider-level attack
If traffic is not intercepted before leaving the organization’s internal network, it changes later, on the way to Adobe servers. The main access point on this segment are Internet providers. Earlier in ESET announced the spread of FinFisher spyware through the introduction of packages at the ISP level.
All victims known to us are in the countries of the former USSR. They use the services of at least four Internet service providers. Thus, this scenario assumes that Turla has the ability to monitor traffic in different countries, or data transmission channels.
3.2.4. BGP Router Attack
If the traffic is not changed by the service provider and does not reach the Adobe servers, it means that it is redirected to another server controlled by Turla operators. This can be done by performing an attack on BGP routers in one of the following ways.
On the one hand, Turla operators could use the Autonomous System (AS) to declare a prefix belonging to adobe.com. Thus, traffic sent to adobe.com from places close to the controlled Turla AS will be sent to their server. An example of such malicious activity was analyzed by RIPE. However, this would be quickly noticed in Adobe or in a service that performs BGP monitoring. In addition, we checked RIPEstat statistics and did not notice any suspicious route announcements for the Adobe IP addresses used in this campaign.
On the other hand, Turla operators could use their AS to advertise a shorter path than any other AS to Adobe servers. Thus, the traffic would also go through their routers and could be intercepted and changed in real time. However, most of the traffic to Adobe servers would be redirected to an unauthorized router - it is difficult to disguise such tactics and there is a chance that after launching in August 2016, the campaign would soon be discovered.
3.2.5. Total
Of the five scenarios presented in Figure 1, we considered only four, as we are sure that Adobe was not compromised. The attack on BGP routers and the MitM attack at the service provider level are more difficult than others. We assume that the Turla group uses a special tool installed on the local gateways of the target organizations, which allows you to intercept and modify traffic before it leaves the intranet.
3.3. Getting information through the URL of get.adobe.com
After the user has downloaded and launched the fake Flash installer, the compromise process starts. It starts with the introduction of the Turla backdoor. It may be Mosquito, malware for 32-bit Windows, described in section 4; a malicious javascript file that communicates with a web application on the Google Apps Script service, described in section 5; or unknown file downloaded from Adobe fake URL:
http://get.adobe.com/flashplayer/download/update/[x32|x64]In the latter case, since there is no such URL on the Adobe server, to transfer content through it to the Turla group, you need something like MitM on the path between compromised machines and Adobe servers.
Next, a query is executed that displays information about the new compromised machine. This is a GET request at
http://get.adobe.com/stats/AbfFcBebD/q=<base64-encoded data> . According to our data, the legitimate IP address of Adobe is used, but the URL pattern is not similar to that used by Adobe, which causes a 404 error upon request. Since the request is executed via HTTP, the MitM attack scripts, mentioned earlier in section 3.2, are most likely used.Figure 2. Code making a request to the fake URL get.adobe.com
The base64-encrypted data contains confidential information about the victim’s machine. It would be strange if she actually went to the Adobe server. Figure 3 is an example of a decoded report. The data includes a unique ID (the last 8 bytes of the fake Flash installer executable, as shown in Figure 4), the username, the list of installed security products, and the ARP table.
Figure 3. Installation report sent to the dummy get.adobe.com URL
Figure 4. Unique ID at the end of the installer
Interestingly, the Snake installer for macOS (the backdoor associated with Turla) uses the same URL as in Figure 5. The information transferred is somewhat different because it contains only the user name and the device name, although it is still encoded in base64. However, this behavior was not documented by Fox-IT when publishing the analysis.
Figure 5. The code that executes the request for the substitute URL URL get.adobe.com in the Snake installer for macOS
Finally, the fake installer injects or downloads, and then launches the legitimate Flash Player application. The legitimate installer is either built into the fake installer, or downloaded via the following path to the Google Drive URL:
https://drive.google[.]com/uc?authuser=0&id=0B_LlMiKUOIstM0RRekVEbnFfaXc&export=download4. Win32 backdoor analysis
In this section, we describe samples found in-the-wild, mainly in 2017. We found evidence that the campaign has been going on for several years, and the samples of 2017 are the result of the evolution of the backdoor into the file
InstructionerDLL.dll . Early samples were less obfuscated, they only had DLL backdoor without a loader, which appeared in later versions. Some of the older samples have a compilation time stamp of 2009, but most likely they have been corrected.4.1. Installer
It comes as a fake Flash installer and is bundled with two additional components that are later dropped to disk. As explained above, we found several users who downloaded the Flash fake installer from the URL and IP used by Adobe to distribute the legitimate installer.
4.1.1. Encryption
In new versions, the installer is always obfuscated, as it seems to us, with the help of encryption. Figure 6 shows an example of a function obfuscated with this tool.
Figure 6. Obfuscated function
First, this cryptographer widely uses fuzzy predicates together with arithmetic operations. For example, an obfuscated function counts a number from hard-coded values ​​and then compares it in magnitude with another hard-coded value. Thus, during each execution, the process will be the same, but emulation is required to determine the correct path. Therefore, the code becomes too complicated for analysis both for analysts and for automated security software algorithms. This can slow down the emulation to such an extent that the object will not be scanned due to time constraints, and as a result, the specified (if not obfuscated) malware will not be detected.
Second, after the first deobfuscation step, a call is made to the Win32 API
SetupDiGetClassDevs(0,0,0,0xFFFFFFFF) , and the cryptographer checks if the resulting value is 0xE000021A. The function is usually used to obtain information about devices in the system. Although a certain value of Flags (0xFFFFFFFF) not documented, according to our tests, the resulting value always corresponds to 0xE000021A on Windows 7 and Windows 10 machines. We believe that similar API requests and subsequent testing are done to bypass the sandbox and emulation mode that are incorrect in a way.Thirdly, the present code is divided into several fragments, which are decrypted using a special function and are ordered at run time to create PE in memory. It is then performed using the function of the PE bootloader encoder. This PE bootloader contains several debug lines, as shown in Figure 7.
Figure 7. Debug strings in PE loader function
4.1.2. Installation
After decryption, the installer searches for the
%APPDATA% subfolder and drops two files into the folder with the longest path to it. When searching for such a folder, it bypasses any name containing AVAST in the title. He then uses the name of one of the non-hidden files in this folder with the cropped extension as the base name for the dumped files. If all files in the directory are hidden, or if the directory is empty, it uses the name of the %WINDIR%\System32 DLL. The dump loader has the extension .tlb , and the main backdoor is .pdb . Interestingly, it does not use WriteFile to reset two DLLs. Instead, it creates a file, marks it in memory, and calls memmove to copy the data. Perhaps this is done to bypass the hooks to WriteFile security products and sandboxes.We also saw earlier versions of the installer, which only downloaded one file with the extension
.tlb . In this case, the same file contains the functions of the loader and backdoor. DllMain selects which code to execute.He writes a simple unencrypted log file in
%APPDATA%\kb6867.bin . The complete file is created in the same directory as these two DLLs and has the extension .tnl .Figure 8. Files created in the random% child directory% APPDATA%
It then provides persistence using the Run registry key, or COM interception . If the display name of the antivirus obtained by Windows Management Instrumentation (WMI) corresponds to Total Security, then it adds the entry
rundll32.exe [path to backdoor], StartRoutine to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\auto_update .Otherwise, it replaces the registry entry in
HKCR\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InprocServer32 or HKCR\CLSID\{08244EE6-92F0-47F2-9FC9-929BAA2E7235}\InprocServer32 These CLSIDs are EhStorShell.dll and ntshrui.dll respectively. These DLLs are legitimately started by many processes, including explorer.exe , a Windows graphical interface. Thus, the bootloader will be called every time explorer.exe launched. Finally, it adds a registry entry to store the path to the original intercepted DLL and the main backdoor, as shown in Figure 9.Figure 9. Registry modification for sustainability
The rest of the CLSIDs are hardcoded in a binary file, but we did not see them being used. The full list is available in the section with compromise indicators.
As explained in the previous section, the installer sends some information, such as a unique sample ID, username, or ARP table, to the Adobe
get.adobe.com domain URL. It also launches the real Adobe Flash installer, which is either downloaded from Google Drive or built into the fake installer.Before running the main backdoor, the installer creates a
HelpAssistant administrator HelpAssistant (or HelpAsistant in some samples) with the password sysQ!123 . LocalAccountTokenFilterPolicy changed to 1 , allowing remote control actions. We believe that this account name is necessary to go unnoticed, as this name is used during the legitimate session of remote assistance .4.2. DebugParser (launcher)
A launcher called
DebugParser.dll is called during the loading of a captured COM object. It is responsible for starting the main backdoor and loading the intercepted COM object. A simplified pseudo-component code is shown in Figure 10.Figure 10. Launch pseudocode
However, he uses some tricks to load the intercepted library and return to the right address. The process is described below:
1. Get the original return address after a legitimate call to
LoadLibrary . At the beginning of the DllMain is stored registry value ESP. It then checks FF 15 (CALL call operation code) in ESP - 6. If it is present, the registry leaves the original return address.Figure 11. Address lookup after calling LoadLibrary
2. Allocate RWX memory containing the following values:
Figure 12. Memory Allocation
3. Switch to the capture function by modifying the address of the
DllMain response.4. In the interception function:
a. function call, which is responsible for loading
ntshrui.dll (or any other intercepted library)b.
FreeLibrary call in DebugParser.dll (backdoor loader)c. go to the original address of the reply before interception.
Since the original DLL is loaded, the user will most likely not notice that the backdoor is running.
In early versions, in which the loader and backdoor functions are combined in one file,
DllMain chooses which code to execute, as shown in Figure 13.Figure 13. Loader and backdoor in one library
4.3. Main backdoor
The main backdoor of this campaign
CommanderDLL.dll , so named by the authors, is launched either by the bootloader described above, or directly at launch, if the selected persistence mechanism is the Run key in the registry. In both cases, the export of StartRoutine , as shown in Figure 14, but this export is not in the DLL export table.Figure 14. In the DLL there is no EXPORT Address Table in the .reloc section
In the
DllMain function, an export table is created to output it:1. It creates an
IMAGE_EXPORT_DIRECTORY structure with StartRoutine as the name of a single export.2. Copies this structure after moving the partition located at the end of the PE image in memory
3. Changes the header field of PE containing the Relative Virtual Address (RVA) of the export table to the address of the newly created export table
With these edits in the memory library, there is an export called
StartRoutine , as shown in Figures 15 and 16. Figure 17 is a screenshot from a Hex-Rays decompiler showing the code for the entire process of adding this export.Figure 15. Newly created export table
Figure 16. New export name
Figure 17. Export table patching process
4.3.1. Customization
First, the
CommanderDLL module deletes the dropper file (fake Flash installer). The path is passed from the dropper through a named pipe called \\.\pipe\namedpipe . Then, in the new process, it creates the second named pipe \\.\pipe\ms32loc , and waits until another process connects to this channel, after which the program ends.Secondly, CommanderDLL configures some internal structures and stores configuration values ​​in the registry. Table 1 describes the various registry values ​​that are stored in the
HKCU\Software\Microsoft\[dllname] .Table 1. Backdoor registry values
All registry values, except for the layout record, are encrypted using a special algorithm, which is described in Section 4.3.2.
Thirdly, the additional address of the C & C server is loaded from a document stored in Google Docs (https://docs.google [.] Com / uc? Authuser = 0 & id = 0B_wY-Tu90pbjTDllRENWNkNma0k & export = download) . It is encrypted using the algorithm described in 4.3.2.
4.3.1. Encryption
The backdoor uses a special encryption algorithm.Each byte of plain text is added modulo 2 in a stream generated by a function similar to the Blum Blum Shub algorithm . For encryption or decryption, the key and the module are transferred to the encryption function.
Different samples use different keys and modules. Some are hardcoded, some are generated during execution. Table 2 describes the various keys and modules used by malware.
Table 2. Encryption keys and modules
4.3.3. Log
The program maintains a log file called
[dllname].tnl. Interestingly, it contains a timestamp of each entry, which allows you to track the chain of events occurring on the compromised machine. This can be useful for cybercriminals. It is encrypted using the algorithm described above. The key is located after the indent in 0x20 in the header of the log file, the module is always 0x5DEE0B89. Figure 18 describes the structure of this file.Figure 18. Log file structure
Figure 19. Log file start
4.3.4. Data exchange C & C server and backdoor commands
The main backdoor loop is responsible for managing data exchange with the C & C server and executing the commands it sends. At the beginning of each of them, it is in an inactive state for a random time period, but usually about 12 minutes.
Request to server always uses the URL on the same scheme:
https://[C&C server domain]/scripts/m/query.php?id=[base64(encrypted data)]. The user software agent is hard-coded in the samples and cannot be changed:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Google Chrome 41 uses this default value. The parameter structure is
iddescribed in Figure 20.Figure 20. The structure of the request to the C & C server –GET request with data in the id parameter
Previous sample is the case where the
idGET request parameter contains a structureData. However, the data may also be contained within a cookie (with a full name) or a POST request. Figure 21 describes the various possibilities.In all these cases, the encryption key is the first DWORD of the
idURL address structure . The key, in combination with the 0x7DFDC101 module, can decrypt the structure id, POST data and cookie value. The payload is then decrypted from the data structure.Figure 21. Selecting the request
The original request contains general information on the compromised machine, such as the result of commands
ipconfig, set, whoamiand tasklist.The C & C server then issues one of the instruction sets as a response. The structure of this answer is shown in Figure 21. The packet is fully encrypted (except for the first four bytes) by the same algorithm borrowed from the Blum Blum Shub, described in section 4.3.2, which uses the first DWORD as the key and 0x7DFDC101 for the module. Each instruction set is encrypted separately using 0x3EB13 for the key and 0x7DFDC101 for the module.
Figure 22. The structure of the C & C response package.
Backdoor can execute some predefined actions, hard-coded in a binary file. Table 3 provides a brief description of the available commands.
Table 3. Description of available backdoor commands
In some analyzed samples, a backdoor can also run PowerShell scripts.
5. JavaScript backdoor analysis
Some fake Flash installers deliver two backdoors to JavaScript instead of Mosquito. These files are flushed to a folder
%APPDATA%\Microsoft\. They are called google_update_checker.js local_update_checker.js.The first interacts with a web application hosted on the Google Apps Script service at:
(https://script.google[.]com/macros/s/AKfycbwF_VS5wHqlHmi4EQoljEtIsjmglLBO69n_2n_k2KtBqWXLk3w/exec)and waits for a response encoded on base64. It then executes the decoded content with eval. We do not know the exact purpose of the additional backdoor, but it can be used to download additional Malvar, or execute malicious JavaScript code directly. To ensure persistence, it adds value Shellto HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.The second JavaScript file reads
%ProgramData%\1.txtand executes the contents using the function eval. To ensure persistence, it adds valuelocal_update_checkin HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.6. Conclusion
The campaign shows that Turla Cybergroups has many tools for masking malicious traffic under legitimate. The methods used can be misleading even by experienced users. Using HTTPs could reduce the effectiveness of such attacks — in this protocol it is more difficult to intercept and replace encrypted traffic on the way from the machine to the remote server. File signature verification should be suspicious, because the files used by Turla are not signed, unlike Adobe installers.
In addition, the new campaign points to the interest of Turla in the staff of consulates and embassies located in Eastern European countries. The group makes a lot of effort to ensure access to these sources of information.
For questions related to the campaign, contact threatintel@eset.com.
7. Indicators of compromise
7.1. Addresses of command servers (by year)
2017: smallcloud.ga
2017: fleetwood.tk
2017: docs.google.com/uc?authuser=0&id=0B_wY-Tu90pbjTDllRENW
NkNma0k&export=download (adstore.twilightparadox.com)
2017: bigpen.ga
2017: https://script.google.com/macros/s/AKfycbxxPPyGP3Z5wgwbs
mXDgaNcQ6DCDf63vih-Te_jKf9SMj8TkTie/exec
2017: https://script.google.com/macros/s/AKfycbwF_VS5wHqlH
mi4EQoljEtIsjmglLBO69n_2n_k2KtBqWXLk3w/exec
2017-2015: ebay-global.publicvm.com
2017-2014: psychology-blog.ezua.com
2016: agony.compress.to
2016: gallop.mefound.com
2016: auberdine.etowns.net
2016: skyrim.3d-game.com
2016: officebuild.4irc.com
2016: sendmessage.mooo.com
2016, 2014: robot.wikaba.com
2015: tellmemore.4irc.com7.2. Fake adobe addresses
http://get.adobe[.]com/stats/AbfFcBebD/?q=<base64-encoded data>
http://get.adobe[.]com/flashplayer/download/update/x32
http://get.adobe[.]com/flashplayer/download/update/x647.3. Unofficial addresses of legitimate flash installers
https://drive.google[.]com/uc?authuser=0&id=0B_LlMiKUOIsteEtraEJYM0QxQVE&export=download
https://drive.google[.]com/uc?authuser=0&id=0B_LlMiKUOIstM0RRekVEbnFfaXc&export=download7.4. Hashes
7.5. Windows artifacts
7.5.1. Intercepted CLSID
{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}
{08244EE6-92F0-47F2-9FC9-929BAA2E7235}
{4E14FBA2-2E22-11D1-9964-00C04FBBB345}
{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}
{603D3801-BD81-11D0-A3A5-00C04FD706EC}
{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}
{9207D8C7-E7C8-412E-87F8-2E61171BD291}
{A3B3C46C-05D8-429B-BF66-87068B4CE563}
{0997898B-0713-11D2-A4AA-00C04F8EEB3E}
{603D3801-BD81-11D0-A3A5-00C04FD706EC}
{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}7.5.2. Files
Three files with the same name, but different extensions (.tlb, .pdb and .tnl) in the folder
%APPDATA%%APPDATA%\kb6867.bin(simplified log file)7.6. Detection by ESET products
7.6.1. Recent samples
Win32/Turla.CQ
Win32/Turla.CP
Win32/Turla.CR
Win32/Turla.CS
Win32/Turla.CT
Win32/Turla.CU
Win32/Turla.CV
Win32/Turla.CW
Win32/Turla.CX7.6.2. Old options
Win32/TrojanDownloader.CAM
Win32/TrojanDownloader.DMU7.6.3. JavaScript backdoor
JS/Agent.NWB
JS/TrojanDownloader.Agent.REGSource: https://habr.com/ru/post/352784/
All Articles