Turla, a hacking grouping that has been active for over 10 years as well as 1 of the largest known state-sponsored cyberespionage groups, is showing a shift inwards its conduct from using its ain creations to leveraging the opened upward source exploitation framework Metasploit earlier dropping the custom Mosquito backdoor.
While this is non the firstly fourth dimension Turla is using generic tools, researchers at ESET say that this is the firstly fourth dimension the grouping has used Metasploit, which is an open-source penetration testing project, every bit a firstly phase backdoor.
“In the past, nosotros accept seen the grouping using open-source password dumpers such every bit Mimikatz,” ESET Research said inwards a blog post. “However, to our knowledge, this is the firstly fourth dimension Turla has used Metasploit every bit a firstly phase backdoor, instead of relying on 1 of its ain tools such every bit Skipper.”
The typical targets of the attacks stay to live embassies as well as consulates inwards Eastern Europe as well as the grouping is withal using a mistaken Flash installer to install both the Turla backdoor as well as the legitimate Adobe Flash Player.
According to the researchers, the compromise occurs when the user downloads a Flash installer from get.adobe.com through HTTP, allowing Turla operators to supplant the legitimate Flash executable amongst a trojanized version yesteryear intercepting traffic on a node betwixt the halt machine as well as the Adobe servers.
“We believe the 5th possibility to live excluded, as, to the best of our knowledge, Adobe/Akamai was non compromised,” the post service went on to say, assuring that the Adobe website does non appear to accept been compromised.
Researchers found, at the showtime of March 2018, that at that spot were but about changes inwards the Mosquito campaign. Where previously, the assault was carried out yesteryear dropping a loader as well as the master copy backdoor using a mistaken Flash installer, at that spot is directly a modify inwards the agency the end backdoor is dropped.
“Turla’s drive withal relies on a mistaken Flash installer but, instead of direct dropping the 2 malicious DLLs, it executes a Metasploit shellcode as well as drops, or downloads from Google Drive, a legitimate Flash installer,” the post service read.
The shellcode hence downloads a Meterpreter, which gives the aggressor the command of the compromised machine, as well as lastly places the end Mosquito backdoor.
Once the assault is executed, the mistaken Flash installer downloads a legitimate Flash installer from a Google Drive URL as well as runs it to deceive the user into thinking that the installation went smoothly.
Researchers also say that because of the role of Metasploit, it tin sack live assumed that at that spot is an operator controlling the exploitation manually. More information on Turla tin sack live establish inwards ESET’s whitepaper every bit good every bit their recent report on Turla’s modify inwards attacks.
