Matthieu Faou, ESET After having tracked Turla's activities for several years, we now have a unique understanding of their Tools, Tactics and Procedures (TTPs). Turla, also known as Snake, is an espionage group known for targeting governments, diplomats and militaries all around the world. One of their first documented campaign was against the US military ten years ago and they are still very active. In early 2018, the group broke the news for having successfully breached the German Foreign Office. Some details quickly leaked in news outlets. Turla operators were in the German government network since the end of 2016 and they used a backdoor fully controlled by emails. As no public information were available online, we started analysing the so-called Outlook Backdoor. During our investigation, we were able to identify other important victims such as two Ministries of Foreign Affair in Europe and a large defense contractor. In this talk, we will present a detailed analysis of this malware, which is a full-featured backdoor targeting email clients. Its main target is Microsoft Outlook but it can also interact with The Bat!, an email client widely used in Eastern Europe. To interact with Microsoft Outlook, it leverages the Messaging Application Programming Interface (MAPI). The commands are received through specially crafted PDF attachments that are then decoded and interpreted by the backdoor. There is no strong authentication to verify the identity of the command sender. Thus, anybody understanding the command format would be able to control the compromised machines. It leads to additional security risk for the victims. The malware also exfiltrates highly-sensitive data such as the outgoing emails sent by the infected user. The hardcoded e-mail address used for exfiltration was registered at a popular European free email provider. We will present the analysis of the complex structure that embeds the commands. We will also provide a demo showing it is possible to fully control an infected machine by just sending an email with a PDF attached. This unusual way of communication for a backdoor helps the attackers to blend in the normal network traffic and bypass security monitoring solutions. We will also present older versions of this backdoor, as we were able to trace it back as early as 2013. Finally, we will discuss possible mitigations and methods to detect this backdoor.

1. A Turla Gift:
Popping calc.exe by sending an email
Matthieu Faou | Malware Researcher

2. Matthieu Faou
Malware Researcher
@matthieu_faou
2

3. Agenda
1. Introduction: Turla
2. Outlook backdoor
3. Demo
4. Mitigations
3

4. History

5. Timeline
Moonlight
Maze
1998
5

6. Timeline
Moonlight
Maze
US Department of
Defense breach
2008
1998
6

7. Timeline
Moonlight
Maze
US Department of
Defense breach
2008
1998
7

8. Timeline
Moonlight
Maze
US Department of
Defense breach
Finnish MFA
breach
2008
20131998
8

9. Timeline
Moonlight
Maze
US Department of
Defense breach
Finnish MFA
breach
2008
20131998
2014
RUAG breach
9

10. Timeline
Moonlight
Maze
US Department of
Defense breach
Finnish MFA
breach
MitM/MotS
on adobe.com
2008
201620131998
2014
RUAG breach
10

11. Timeline
Moonlight
Maze
US Department of
Defense breach
Finnish MFA
breach
MitM/MotS
on adobe.com
German Government
breach goes public
2008
2016
2018
20131998
2014
RUAG breach
11

12. Arsenal

13. Meet Turla’s Arsenal | Mosquito
•First stage backdoor
•Fake Flash installer
•MitM/MotS on adobe.com
13

14. 14

15. Meet Turla’s Arsenal | OSX/Snake
•MacOS
backdoor
•Similar
MitM/MotS on
get.adobe.com
15

16. Meet Turla’s Arsenal | OSX/Snake
•MacOS
backdoor
•Similar
MitM/MotS on
get.adobe.com
16

17. Meet Turla’s Arsenal | Carbon and Gazer
•2nd stage
•Similar
architecture
17

18. Meet Turla’s Arsenal | Uroboros
•Rootkit
•Bypass Windows Driver Signature Enforcement
• Vulnerable VirtualBox driver
• Signature not revoked (even if expired)
18

19. 19

20. Outlook Backdoor

21. The group Snake is said
to have attacked the
German government
network.
21

22. Hackers have been able
to copy data from the
government networks via
the Outlook mail
program.
22

23. We need to look deeper
23

24. Summary
•Backdoor entirely controlled by PDF
attachments sent to the victim’s mailbox.
•Exfiltration through emails.
•Persistence by COM hijacking the Outlook
Protocol Manager.
24

25. Targets
•Ministry of Foreign
Affairs
•Defense contractors
•?
25

26. Timeline
Oldest
compilation
timestamp
2009
26

27. Timeline
Oldest
compilation
timestamp
First sample
uploaded on
VirusTotal
2009
2010
27

28. Timeline
Oldest
compilation
timestamp
First sample
uploaded on
VirusTotal
Execute
commands
sent by emails
(XML)
2009
2010
2013
28

29. Timeline
Oldest
compilation
timestamp
First sample
uploaded on
VirusTotal
Execute
commands
sent by emails
(XML)
2009
2010 2016 (?)
2013
Commands are hidden
in PDF documents
29

30. Timeline
Oldest
compilation
timestamp
First sample
uploaded on
VirusTotal
Execute
commands
sent by emails
(XML)
Public announcement
of the German incident
2009
2010
Mar. 2018
2016 (?)
2013
Commands are hidden
in PDF documents
30

31. Timeline
Oldest
compilation
timestamp
First sample
uploaded on
VirusTotal
Execute
commands
sent by emails
(XML)
Public announcement
of the German incident
Our report
goes public
2009
2010
Mar. 2018
2016 (?)
2013
Commands are hidden
in PDF documents
Aug. 2018
31

32. Installation
•COM object hijacking
• Quite old technique
• ComRAT & Mosquito
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Larimer
-VB2011.pdf
• https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-
the-discreet-way-of-persistence
•Outlook Protocol Manager.
32

33. HKCR = HKCU + HKLM
33

34. 34

35. 35

36. 36

37. 37

38. https://msdn.microsoft.com/en-us/library/bb756926.aspx
Beginning with Windows Vista® and
Windows Server® 2008, if the
integrity level of a process is higher than
Medium, the COM runtime
ignores per-user COM configuration and
accesses only per-machine
COM configuration.
38

39. https://msdn.microsoft.com/en-us/library/bb756926.aspx
Beginning with Windows Vista® and
Windows Server® 2008, if the
integrity level of a process is higher than
Medium, the COM runtime
ignores per-user COM configuration and
accesses only per-machine
COM configuration.
39

40. https://msdn.microsoft.com/en-us/library/bb756926.aspx
Beginning with Windows Vista® and
Windows Server® 2008, if the
integrity level of a process is higher than
Medium, the COM runtime
ignores per-user COM configuration and
accesses only per-machine
COM configuration.
40

41. Interactions with the mail client
•Main target: Microsoft Outlook.
•The Bat! in the first versions (<= 2013).
41

42. 42

43. 43

44. MAPI
•Messaging Application Programming Interface
•COM-based API
•Allows software to be email-aware
•Replace olmapi32.dll
44

45. 45

46. 46

47. 47

48. 48

49. 49

50. 50

51. 51

52. Outgoing emails
•All outgoing emails are forwarded to the
attacker’s email address
•Can be disabled by changing a config value in
the registry
52

53. 53

54. 54

55. 55

56. 56

57. Outgoing emails
•Information is exfiltrated at the same time the
victim sends an email
• Prevent sending emails at unusual hours
•Data is encrypted and stored in a PDF attached
to the email
57

58. 58

59. 59

60. 60

61. Operator email addresses
61

62. Operator email addresses
62

63. Operator email addresses
63

64. Operator email addresses
64

65. Operator email addresses
•In recent campaigns, we have seen them using
gmx.com
•Pattern seems firstname.lastname@[free webmail]
•Sometimes, they impersonate the victim
65

66. 66

67. Incoming emails
•All incoming email metadata is logged (subject,
sender, etc.)
•Checks if the attachment is a PDF and contains a
command
67

68. 68

69. Hiding UI artefacts
•Delete all backdoor-related messages
• Sent
• Received
• If it contains the operator email address
•Hooks
69

70. Hiding UI artefacts
70

71. Hiding UI artefacts
71

72. Hiding UI artefacts
72

73. Hiding UI artefacts
73

74. Backdoor
•Fully-controlled by email
• Commands are contained in PDF attachments
• Old versions: XML in the email body
•Operator agnostic
• Even if the email address is took down, a command can
be sent from any other email address
74

75. Backdoor | PDF format
•Really complex – a pain to reverse
• Probably just to make analysis more time consuming
•Valid PDF document
•Data appended after a JPG
75

76. 76

77. 77

78. 78

79. 79

80. 80

81. Container Version
81

82. Container Version
82

83. 83

84. Instruction descriptors
ID Description
2 Offset of the decryption function (should be 0x11)
3 Decryption key ID (should be 0x1)
4 Offset of the decompression function (should be
0x11)
6 Size of encrypted data
7 CRC32 of encrypted data
84

85. 85

86. 86

87. Backdoor | Functions
ID Commands
0x10 Not implemented
0x11 Display a MessageBox
0x12 Sleep
0x20 Delete file
0x21 Get file
0x22 Set operator email address
0x23 Put file
0x24 Run shell command
0x25 Create process
0x26 Delete directory
0x27 Create directory
0x28 Change timeout
0x29 Run PowerShell command (PSInject - 2018)
0x2A Set answer mode (2018)
87

88. 88

89. Backdoor | Encryption
•They changed the s-tables
•They modified slightly some functions
•It breaks crypto detection tools
89

90. Turla Encryption History
•Carbon and Snake: CAST-128
•Gazer: Custom RSA implementation
•Mosquito: BlumBlumShub
•Uroboros: Threefish
90

91. Backdoor | Encryption
•Identification of the main characteristics
• Symmetric
• 128-bit key
• Two hardcoded tables
• 64-bits block
• 8 rounds
91

92. 92

93. 93

94. 94

95. 95

96. 96

97. And if you speak French…
97

98. 98

99. Changes to MISTY1
•The 128–bit key is generated from two
hardcoded 1024–bit keys plus a 2048–bit
Initialization Vector.
•They shuffled s7 and s9
•They added XOR operations in FI
99

100. 100

101. Demo

102. Setup
•Windows 7 + Windows 10
•Office 2010 and Office 2013
•Local mail server: hMailServer

103. Mitigations

104. 104

105. On the computer side
•AV detection
•EDR/Sysmon (?) to identify COM hijacking
•Windows Events: I found nothing?
105

106. Windows Defender Security Center
•!= Windows Defender AV
•Console to tune most of Windows security
settings
• AV/Firewall
• Core isolation
• Exploit protection
106

107. Standard settings
107

108. 108

109. 109

110. 110

111. 111

112. Do not allow child processes
112

113. Do not allow child processes
113

114. Code Integrity Guard
114

115. Code Integrity Guard
115

116. Code Integrity Guard
116

117. Code Integrity Guard
117

118. On the mail server side
•Blocking emails based on PDF format: controlled
by the attackers
•Monitoring duplicate sending of emails
• High FP rate?
• Attacker’s address looks like private victim’s address
118

119. Conclusion
•Backdoor in use since at least 8 years
•Should bypass most network security solutions
•Email is not only an infection vector
•Turla still innovative
119

120. •Comprehensive WhitePaper
released in August 2018
• https://www.welivesecurity.com/w
p-content/uploads/2018/08/Eset-
Turla-Outlook-Backdoor.pdf
• https://github.com/eset/malware-
ioc/tree/master/turla#turla-
outlook-indicators-of-compromise
120

121. www.eset.com | www.welivesecurity.com
Matthieu Faou
Malware Researcher
@matthieu_faou
121