Turla group has been active since at least 2007 targeting government organizations and private businesses.
The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.
Turla is back, in a recent wave of attacks, the cyberspies targeted diplomatic entities in Eastern Europe.
“To confound detection, its operators recently started using PowerShell scripts that provide direct, in-
The PowerShell scripts used by Turla in recent attacks allow direct, in-memory loading and execution of malicious executables and libraries avoiding detection.
Kaspersky Lab said the APT was experimenting with PowerShell in-memory loads to bypass security protections, at the time the loader used by the cyberspies was based on the legitimate PoshSec-Mod software. Anyway, experts believe that due to the presence of bugs in the code it would often crash.
ESET believes that now the problems have been solved and the Turla threat actors leverage the PowerShell scripts to load an array of malware.
“The PowerShell scripts are not simple droppers; they persist
“We have seen Turla operators use two persistence methods:
When the persistence is implemented through WMI, attackers create two WMI event filters and two WMI event consumers. The consumers are command lines launching base64-encoded PowerShell commands that load a PowerShell script stored in the Windows registry.
The second method used by the group consists of altering the PowerShell profile that is a script that runs when PowerShell starts.
In both cases the decryption of payloads stored in the registry is done using the 3DES algorithm. Once decrypted, a PowerShell reflective loader then comes into action.
“The payload decrypted at the previous step is a PowerShell reflective loader. It is based on the script Invoke-ReflectivePEInjection.ps1 from the same PowerSploit framework” reads the analysis.
“The executable is hardcoded in the script and is loaded directly into the memory of a randomly chosen process that is already running on the system,”
Attackers avoid targeting processes that could be specifically referred as legitimate defense solutions, such as the Kaspersky anti-virus protection software.
In some samples, Turla attackers have modified the PowerShell script in order to bypass the Antimalware Scan Interface (AMSI) implemented by Windows.
“This is an interface allowing any Windows application to integrate with the installed
“They did not find a new bypass but re-used a technique presented at Black Hat Asia 2018 in the talk The Rise and Fall of AMSI. It consists of the in-memory patching of the beginning of the function AmsiScanBuffer in the library amsi.dll.”
The attackers are also able to modify the PowerShell script, in particular, the AmsiScanBuffer in a way that the
The PowerShell loader is used to lauch malware, one of these malicious codes is a backdoor based on the RPC protocol.
Turla also has also a lightweight PowerShell backdoor in its arsenal, tracked as PowerStallion it uses cloud storage as C2 server.
A few weeks ago, ESET researchers discovered a Turla’s backdoor tracked as LightNeuron, that has been specifically developed to hijack Microsoft Exchange mail servers.
ESET confirmed that the PowerShell scripts have been used involved in campaigns aimed at political targets in Eastern Europe. According to the researchers the same scripts are also used globally against other targets in Western Europe and the Middle East.
“Finally, the usage of open-source tools does not mean Turla has stopped using its custom tools. The payloads delivered by the PowerShell scripts, the RPC backdoor and PowerStallion, are actually very customized. Our recent analysis of Turla LightNeuron is additional proof that this group is still developing complex, custom malware.” concludes the report.
ESET report includes technical details and