Matthieu Faou, ESET
After having tracked Turla's activities for several years, we now have a unique understanding of their Tools, Tactics and Procedures (TTPs). Turla, also known as Snake, is an espionage group known for targeting governments, diplomats and militaries all around the world. One of their first documented campaign was against the US military ten years ago and they are still very active.
In early 2018, the group broke the news for having successfully breached the German Foreign Office. Some details quickly leaked in news outlets. Turla operators were in the German government network since the end of 2016 and they used a backdoor fully controlled by emails. As no public information were available online, we started analysing the so-called Outlook Backdoor. During our investigation, we were able to identify other important victims such as two Ministries of Foreign Affair in Europe and a large defense contractor.
In this talk, we will present a detailed analysis of this malware, which is a full-featured backdoor targeting email clients. Its main target is Microsoft Outlook but it can also interact with The Bat!, an email client widely used in Eastern Europe. To interact with Microsoft Outlook, it leverages the Messaging Application Programming Interface (MAPI). The commands are received through specially crafted PDF attachments that are then decoded and interpreted by the backdoor. There is no strong authentication to verify the identity of the command sender. Thus, anybody understanding the command format would be able to control the compromised machines. It leads to additional security risk for the victims. The malware also exfiltrates highly-sensitive data such as the outgoing emails sent by the infected user. The hardcoded e-mail address used for exfiltration was registered at a popular European free email provider.
We will present the analysis of the complex structure that embeds the commands. We will also provide a demo showing it is possible to fully control an infected machine by just sending an email with a PDF attached. This unusual way of communication for a backdoor helps the attackers to blend in the normal network traffic and bypass security monitoring solutions. We will also present older versions of this backdoor, as we were able to trace it back as early as 2013. Finally, we will discuss possible mitigations and methods to detect this backdoor.
24. Summary
•Backdoor entirely controlled by PDF
attachments sent to the victim’s mailbox.
•Exfiltration through emails.
•Persistence by COM hijacking the Outlook
Protocol Manager.
24
57. Outgoing emails
•Information is exfiltrated at the same time the
victim sends an email
• Prevent sending emails at unusual hours
•Data is encrypted and stored in a PDF attached
to the email
57
65. Operator email addresses
•In recent campaigns, we have seen them using
gmx.com
•Pattern seems firstname.lastname@[free webmail]
•Sometimes, they impersonate the victim
65
74. Backdoor
•Fully-controlled by email
• Commands are contained in PDF attachments
• Old versions: XML in the email body
•Operator agnostic
• Even if the email address is took down, a command can
be sent from any other email address
74
75. Backdoor | PDF format
•Really complex – a pain to reverse
• Probably just to make analysis more time consuming
•Valid PDF document
•Data appended after a JPG
75
84. Instruction descriptors
ID Description
2 Offset of the decryption function (should be 0x11)
3 Decryption key ID (should be 0x1)
4 Offset of the decompression function (should be
0x11)
6 Size of encrypted data
7 CRC32 of encrypted data
84
99. Changes to MISTY1
•The 128–bit key is generated from two
hardcoded 1024–bit keys plus a 2048–bit
Initialization Vector.
•They shuffled s7 and s9
•They added XOR operations in FI
99
105. On the computer side
•AV detection
•EDR/Sysmon (?) to identify COM hijacking
•Windows Events: I found nothing?
105
106. Windows Defender Security Center
•!= Windows Defender AV
•Console to tune most of Windows security
settings
• AV/Firewall
• Core isolation
• Exploit protection
106
118. On the mail server side
•Blocking emails based on PDF format: controlled
by the attackers
•Monitoring duplicate sending of emails
• High FP rate?
• Attacker’s address looks like private victim’s address
118
119. Conclusion
•Backdoor in use since at least 8 years
•Should bypass most network security solutions
•Email is not only an infection vector
•Turla still innovative
119
120. •Comprehensive WhitePaper
released in August 2018
• https://www.welivesecurity.com/w
p-content/uploads/2018/08/Eset-
Turla-Outlook-Backdoor.pdf
• https://github.com/eset/malware-
ioc/tree/master/turla#turla-
outlook-indicators-of-compromise
120