Turla Group Observed using Open-Source Tools
Target: Eastern European organisations and embassies
Attack Vector: Fake flash loader subsequently loading Metasploit, which executes shellcode and installing a backdoor
Threat Actor: @Turla
Summary: It has been observed that well known Russian based @Turla group has continued its activity over spring, yet their behaviour differs slightly from previously observed methods used. @Turla are known to utilise their own tools such as Skipper to carry out attacks, yet recently, a range of open-source tools have been used instead to achieve these aims, signalling a change of methodology. The group has continued to push its Mosquito backdoor, previously reported on in GTS Issue 5, 16th January 2018, yet instead of using a Fake Flash Installer, Metasploit is used as an initial vector to drop the Mosquito backdoor.
The group have not previously been observed using Metasploit and this change in tactic could provide an opportunity to mitigate against the group’s activities. The malware is generally being directed at Eastern European targets and could escalate tensions with the current relations between Russia and Ukraine.
Risk assessment summary: This threat is assessed as 3d MODERATE. While Mosquito already presents a risk due to its capability to steal information from a target machine and relay it back to a threat actor, this variant increases the likelihood of infection. The use of Metasploit means that the commands which download the malware do not remain on the system, unlike the previous variant which would allow the fake Flash Installer to be examined for its weaponized version of Flash Player. This improvement allows the exploit to have an additional level of covertness, making it difficult to detect post-infection activity.
Anti-Russian sentiment is high in Ukraine where protesters have constantly campaigned for closer ties to the EU, something which does not sit well with Moscow. As long as this situation is maintained, it is likely Ukraine will be a victim of Russian APT activity.