Turla is a very old and prolific threat group that has been attributed to the Federal Security Services (FSB) of Russia publicly by a foreign intelligence agency. Operating since the late 90s, they have compromised major government entities with a heavy focus on embassies and former Soviet states. In this talk, I will detail the immense capabilities of Turla, which include use of Satellite networks for infrastructure and the ability to stay undiscovered on victim networks for several years. And with Russia actively engaged in open warfare in Ukraine, it's important for all organizations to stay informed and prepared against this specific threat group.
2. Who am I?
Paul Jaramillo
Director, Threat Hunting & Intelligence
Sophos MDR
Previous: CrowdStrike, Splunk, DoE, GE-CIRT
Current: Saint Louis
Previous: Los Angeles, Dallas, Kansas City, Detroit
Twitter: @DFIR_Janitor
University of Oklahoma
Lots of Certs
3. What am I going to talk about?
Turla: Prolific & Advanced
•Snapshot
•Targeting
•Frequent or Unique TTPs
•Malware
•Lineage
•Linux Capabilities
4. Turla: Snapshot
Actor Type Nation State Sponsored
Organization Federal Security Service (FSB) (Alleged)
Observed Goal(s) Sensitive Data Theft
Aliases Snake, Uroburos, Turla Team, G0010 (Mitre), Group88, Pfinet,
WRAITH, Venomous Bear (CrowdStrike), Krypton (Microsoft),
Waterbug (Symantec), Iron Hunter/CTG-8875 (Secureworks), White Bear
(Kaspersky), TAG_0530 (Google), Pacifier APT (Bitdefender),
BelugaSturgeon (Accenture), ITG12 (IBM), BluePython (PWC)
Notable Campaigns
& Events
1998 – Moonlight Maze, US Mil/Gov
2000 – Storm Cloud, US Mil/Gov
2002 – Initial Penquin Development
2003 – Makers Mark, US Mil/Gov
2007 – ComRAT v1 release
2008 – Agent.BTZ, US CENTCOM
2012 – ComRAT v3 release
2014 – Penquin Turla, Swiss RUAG
2017 – G7/G20 Summit Attendees
2018 – Trump DPRK Summit, French Armed Forces
2019 – OilRig Hijack, Austrian Foreign Ministry
5. Turla: Targeting
Known Victims
•NATO
•EU
•USA
•DoD, DoE, NASA, State Dept
•Germany Federal Foreign Office
•French Armed Forces
•Finland Foreign Ministry
•Baltic Defense College
•Ukraine
•Austria
•Economic Chamber
•Foreign Defense Ministry
•RUAG, Swiss Defense Contractor
•Afghanistan
•Armenia
•Embassy in Russia
•Deposit Guarantee Fund
•Institute of International and
Security Affairs
Geo/Country
>45 Countries
Eastern Europe
United States
Western Europe
Central Asia/Middle East
Every Geo but Africa
Industry
Government
Embassies, Ministries,
Diplomatic Missions, NGOs, Research,
Science
Military, Defense Contractors
Telecommunications, Pharma
Education, Energy, Technology
6. Turla: Frequent or Unique TTPs
Initial Access
Waterhole, Spear Phishing
Takeover of Other Threat Actors Infrastructure
Use of Valid Accounts
Backdoored Android APKs
Execution
Decoy Word Docs
Load into memory via PowerShell
RPC via APIs
Injection in explorer.exe and default browser
Persistence
Redundant Backdoors
Javascript, .NET, and RPC backdoors
Registry and Service persistence
Scheduled tasks
Lateral Movement
Transfer files to victims with custom tools
IPC$ via RPC
SMB shares via net use
Command & Control
Internal proxy/staging host
Satellite Networks
Wordpress Sites, Gmail
Instagram, PasteBin
Exfiltration
Uploads via WebDav protocol
OneDrive, 4shared, Box
Transfer to separate victim infrastructure
Privilege Escalation
Reflective DLL injection via Meterpreter
RPC-backdoor impersonates/steals tokens
Exploitation of VMWare drivers
Defense Evasion
Heavy obfuscation of strings/payload
Disable running security agents
Disable code signature verification
Bypass AMSI, PatchGuard
Credential Access
Mimikatz
Windows Credential Manager
Brute force guessing inside victim network
7. Turla: Malware
First1 Last2 Name Notes
1998 2011 Loki2 DH/Blowfish, UNIX backdoor, packet sniffer, precursor to Penquin, DNS and ICMP tunneling, typo squatted BBC domains
2002 2020 Penquin Coded in C, 32/64-bit Linux (Ubuntu/Centos), port knocking via pcap, fake cron, post-compromise infrastructure, use of Satellite
networks, 4yrs till discovery
2007 2012 Carbon/Cobra 32/64-bit Windows kernel driver rootkit, encrypted VFS, replaced by CarbonDLL in 2012, option for Pastebin C2
2007 2020 ComRAT/COMpfun/
Agent.BTZ/Reductor
Internal name "Chinch", 2nd-stage backdoor, harvest and exfil sensitive data, custom C2 protocol, decryption password unique to
each victim host, v4 updated to use Gmail C2, empty email with docx or xlsx
2011 2014 Epic/TavDig/WipBot 2nd-stage recon, CVE-2013-5065, proprietary PE format, heavy obfuscation, injects into svchost.exe then IE, Outlook, or Firefox
2013 2017 Snake/Uroburos Exploits signed VMWare driver vboxdrv.sys, evolution of Carbon rootkit
2014 2019 Skipper/Kotel First stage implant, RAR-SFX packaged with Adobe Flash, persists via regkeys, uses scheduled tasks, delivered via phishing and
watering holes, also described in Pacifier APT report (ubfic.exe and dws.exe)
2014 2018 LightNeuron Backdoor uses malicious MS Exchange Transport Agent, Steganography (pdf and jpeg attachments), spy all emails on
compromised mail server
2015 2020 Crutch 2nd-stage after Skipper, Staging, compression(rar/zip) and exfiltration to dropbox using API, persists via DLL hijacking
2015 2016 IcedCoffee First javascript backdoor, dropped by malicious RTF and DOCs, no native command capability, more targeted distribution
2016 2017 Gazer C++, 2nd stage often follows Skipper, 6 persistence modes, limited functions: update, upload, download, execute, used in
WhiteBear campaign
2016 2019 KopiLuwak Dropped via decoy document, javascript payload encrypted w/ RC4, profiles victim w/ wscript & allows ad hoc cmds
8. Turla: Malware
First Last Name Notes
2017 2018 Nautilus 2nd-stage after Snake, similar to Neuron, nautilus-service.dll, persistence via service, listens for HTTP commands
2017 2020 Kazuar .NET-based, replaced Carbon, packed w/ ConfuserEX, regkey persistence, C2 uses AuthToken in Cookie HTTP GET
request, compromised Wordpress, also uses secondary Pastebin C2
2018 2020 Mosquito/Commander Win32 backdoor, fake Flash installer, uses Metasploit before dropping custom backdoor, moved exfil through
get.adobe[.]com
2018 2020 HyperStack (BigBoss) RPC-based, uses Named Pipes for Controller communication, used as staging server inside victim org to enumerate
additional victims via $IPC
2019 2020 PowerStallion Persists via WMI and PS profile, payload stored in registry and created via PowerSploit, uses AMSI bypass, OneDrive C2
2018 2019 PoisonFrog/BondUpdater PS Backdoor, DNS C2, Hijacked APT32/Oilrig PoisonFrog C2 Panels to deliver Turla malware, sourced code leaked
2019 2020 PyFlash 2nd-stage installed by NetFlash, py2exe, first use of python by Turla, AES encrypted C2 using POST HTTP method
2020 2021 TinyTurla 2nd-stage dropper, w64time[.]dll launched via services, installed via .bat, only 13KB
10. Turla: Infrastructure
Key Points:
• Custom Backdoors with HTTPs
• Leverages Compromised Infrastructure
• Capable of Various Exfiltration Techniques
11. Spotlight - Linux Threat Activity
Penquin Implant details [1]
• First seen in the wild in 2011(RUAG), alleged as old as 1999, and new samples detected as recent as 2020
• Penquin doesn't require root perms on Linux to run
• C code with symbols stripped, but still 627kb file size
• All versions use Blowfish encryption with the same IV
• Requires: glibc, openssl, and libpcap
• Terminates udevd Event Manager daemon [2] [3]
• Activity not visible in netstat command output
• Requires 2 params, ID (numerical value for "magic packet" authentication) and a network interface name
TCP Magic Packet is specific ACK number in header
UDP Magic Packet is the 2nd byte in the body
• Statically links pcap libraries to access raw sockets
• No initial callback at execution but does hold hardcoded C2 information string. First version would wait for an activation packet which
contained the C2, and the second version leveraged satellite IP networks and hardcoded TCP Port 1773.
• After a successful magic packet, a new socket is created and its PID and IP address is reported to C2 and its ready to receive and execute
any commands using "/bin/sh -c"
Before executing the command, implant will check to see if it can leverage pre-built internal commands(do_vs*) instead, including connecting to a 3rd IP address
12. Spotlight - Linux Threat Activity Continued
Behaviors
• ITW samples found on Ubuntu virtual private servers, and support for CentOS is confirmed
• Proxy infrastructure to support targeting of victims via waterholes and 1st level C2
• Use of javascript(BEEF) to conduct system profiling (fake Google analytics)
Profiled systems are tracked using an evercookie
• Recent version impersonates legitimate CRON binary
• File transfers are stored in /root/.session and is uudecoded into /root/.hsperfdata
• Passively sniffs all traffic on interface (detect interface in promiscuous mode?)
• Use of HTTP POSTs to exfiltrate data
• MITRE ATT&CK
T1059 – Command-Line Interface
T1205 – Port Knocking
T1105 – Remote File Copy
T1094 – Custom Command and Control Protocol
T1024 – Custom Cryptographic Protocol
T1032 – Standard Cryptographic Protocol
T1158 – Hidden Files and Directories
T1222 – File and Directory Permissions Modification
13. Turla in 2022
May 2022 – Google TAG reports observed Turla Activity Targeting Baltics
• Reconnaissance via embedded remote image in DOCX
• Typo-squatting NATO, Baltic Defense College, etc
• Use of Ukrainian War Themes
14. Turla: Sophistication Using ACTORS model
Attack Precision
STRONG(7)
Cross-Platform Capability
STRONG(7)
Targeting
STRONG(10)
OPSEC
STRONG(7)
Resilience
FIERCE(10)
Stealth
FIERCE(10)