In March, during the Kaspersky Security Analyst Summit held in Cancun, Kurt Baumgartner, Kaspersky principal security researcher, revealed the activity associated with Sofacy APT group appears to overlap with campaigns conducted by other cyber espionage groups.
Baumgartner explained that the Sofacy’s Zebrocy malware was found on machines in Europe and Asia that were also infected with the Mosquito backdoor associated with the Russia-linked Turla APT.
The delivery vector used in the recent spear-phishing campaigns conducted by Turla uses Windows shortcut (.LNK) that contained PowerShell code almost identical to that used in Zebrocy attacks.
In mid-2018 a very small number of systems in Syria and Afghanistan being targeted with this new delivery vector.
KopiLuwak was first spotted in 2016 while the APT was delivering it to at least one victim leveraging a document containing an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign Affairs in Cyprus.
The C&C can send arbitrary commands to the infected system using Wscript.shell.run().
Experts also detailed the evolution of the Turla’s Carbon backdoor and in the Meterpreter and Mosquito malware delivery techniques.
Experts believe Turla will continue to improve its arsenal, they believe the nation-state actor could target organizations in Central Asia and related remote locations.
“It’s very interesting to see ongoing targeting overlap, or the lack of overlap, with other APT activity. Noting that Turla was absent from the milestone DNC hack event where Sofacy and CozyDuke were both present, but Turla was quietly active around the globe on other projects, provides some insight as to ongoing motivations and ambitions of this group,” Kaspersky concludes.
“From the targeting perspective, we see closer ties between the KopiLuwak and WhiteBear activity, and closer alignments between Mosquito and Carbon activity.”
(Security Affairs – Turla, Sofacy)