Turla, also called as Snake and Uroburos, is one of the most advanced ongoing cyber-espionage threats in the world. The latest Kaspersky Lab research sheds light on how Turla/Snake/Uroburos infected its victims, dubbing the initial infections as the “Epic” operation.
Epic has been going on since at least 2012, with the start of 2014 experiencing the highest volume of activity. Kaspersky, a leading developer of secure content and threat management solutions, noted a recent attack against of one of its users last August 5, 2014.
Most of the victims belong to the following groups: government entities (Ministry of Interior, Ministry of Trade and Commerce, Ministry of Foreign/External affairs, intelligence agencies), embassies, military, research and education organizations, and pharmaceutical companies.
Geographically, most of the victims are in the Middle East and Europe, with other victims located all over the world including the USA. Experts from Kaspersky Lab counted hundreds of victim internet protocol (IP) addresses spread out in about 45 countries, with France topping the list.
Kaspersky Lab reported that Epic Turla thrives in zero-day exploits, social engineering, and watering hole attacks.
In the past, the threat took advantage of at least two zero-days: one for Escalation of Privileges (EoP) in Windows XP and Windows Server 2003 (CVE-2013-5065) which allowed Epic to gain administrator privileges on the system and run unrestricted; and an exploit in Adobe Reader (CVE-2013-3346) that is used in malicious e-mail attachments. Opening the infected PDF file on a vulnerable system automatically infected the machine and allowed hackers to gain real-time access and control of the targeted system.
Additionally, hackers also use direct spear-phishing e-mails and watering hole attacks to claim victims. Specifically, the attacks are categorized as follows: spear-phishing e-mails with Adobe PDF exploits (CVE-2013-3346 + CVE-2013-5065); social engineering to trick the user into running malware installers with “.SCR” extension, sometimes packed with RAR; watering hole attacks using Java exploits (CVE-2012-1723), Adobe Flash exploits (unknown), or Internet Explorer 6, 7, 8 exploits (unknown); and watering hole attacks that rely on social engineering to trick the user into running fake “Flash Player” malware installers.
Meanwhile, watering holes are websites that people commonly visit. Attackers use Java and browser exploits, signed fake Adobe Flash Player software, or a fake version of Microsoft Security Essentials to bait the user into executing the malicious code. 100 websites were deemed unsafe by Kaspersky Lab.
Once a system is compromised, the Epic backdoor immediately contacts the command-and-control (C&C) server to send a pack containing the victim’s information. They also deliver pre-configured batch files with a series of executable commands, a keylogger tool, a RAR archiver, and standard utilities like a DNS query tool from Microsoft to the victim’s computer. This backdoor is also called “WorldCupSec”, “TadjMakhal”, “Wipbot”, and “Tadvig”.
Turla’s first stage
Kaspersky researchers noted that attackers using the Epic malware deployed a more complicated backdoor known as the “Cobra/Carbon system” or “Pfinet” as it is called by some anti-virus products.
After some time, the attackers used the Epic backdoor to update their “Carbon” configuration file with a different group of C&C servers. The unique knowledge to operate these backdoors clearly indicate that there is direct connection between the two.
“The configuration updates for the ‘Carbon system’ malware are interesting, because this is another project from the Turla actor. This indicates that we are dealing with a multi-stage infection that begins with Epic Turla,” said Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab.
“The Epic Turla is used to gain a foothold and validate the high profile victim. If the victim is interesting, it gets upgraded to the full Turla Carbon system,” Raiu added.
The attackers behind Turla are not native English speakers nor are they proficient with the language. This is obvious from their misspelled words and expressions like: “Password it’s wrong!”; “File is not exists”; and “File is exists for edit”.
Various other indicators hint at the identity of the attackers. Some of their backdoors have been compiled on a system using the Russian language; an internal name of one Epic backdoors is “Zagruzchik.dll”, meaning “bootloader” or “load program” in Russian; and the Epic mothership control panel’s code is set to 1251, which is used for Cyrillic characters.
Links with other threat actors
It was observed that the Epic attacks may have possible connections with other cyber-espionage campaigns. Earlier this February, Kaspersky Lab experts noticed that the threat actor known as Miniduke were using the same web-shells associated with the Epic team to manage infected web servers.
To learn more about the “Epic Turla” operation, please read the blog post available at Securelist.com.