Russia-Linked Hackers Use New Toolset and Likely Took Over Servers Operated by Iran-Linked "OilRig" Threat Group

Three recent campaigns associated with the cyber-espionage group Turla employed different tools, revealing a rapidly evolving portfolio, Symantec reports.

Also known as Waterbug, KRYPTON and Venomous Bear, Turla is a Russia-linked threat group active for more than 10 years and mainly focused on cyber-espionage operations.

The group’s activity over the past year and a half continued unhindered, with at least three distinct campaigns identified recently, each using a different toolset. One of them employed a previously unseen backdoor, a second one used three different backdoors, while the third deployed a custom RPC backdoor.

Dubbed Neptun, the backdoor used in the first campaign is installed on Microsoft Exchange servers as a service and passively listens for commands. The threat, Symantec says, can download additional tools, upload stolen files, and execute shell commands.

A second campaign involved the use of Meterpreter, a publicly available backdoor along with two custom loaders, a custom backdoor called photobased.dll, and a custom Remote Procedure Call (RPC) backdoor. In this campaign, Turla has used a modified version of Meterpreter, encoded and given a .wav extension to disguise its true purpose.

As part of the third campaign, the threat actor used a custom RPC backdoor (different from the version observed in the second campaign) that packed code derived from the PowerShellRunner tool to execute PowerShell scripts and bypass detection.

Other tools leveraged by the hackers in these attacks include a custom dropper to install Neptun, a hacking tool that combines four NSA tools (EternalBlue, EternalRomance, DoublePulsar, SMBTouch), a USB data collecting tool, Visual Basic scripts for reconnaissance, PowerShell scripts for reconnaissance and credential theft, and publicly available tools (IntelliAdmin, SScan, NBTScan, PsExec, Mimikatz, and Certutil.exe).

The campaigns targeted governments and international organizations across the globe, as well as entities in the IT and education sectors.

Since early 2018, Turla targeted 13 organizations across 10 different countries, including the Ministries of Foreign Affairs of countries in Latin America, Middle East, and Europe, the Ministry of the Interior of a South Asian country, two government organizations in the Middle East and one in Southeast Asia, and a government office of a South Asian country based in another country.

The group also attacked information and communications technology organizations in the Middle East, Europe, and South Asia, a multinational organization in a Middle Eastern country, and an educational institution in a South Asian country.

One of the attacks identified as part of the first campaign stood out in the crowd for the use of infrastructure belonging to the Iran-linked espionage group known as OilRig (APT34, Crambus). Due to lack of evidence to suggest a collaboration between the groups, Symantec believes this was a hostile takeover.

Using the hijacked infrastructure, the actor downloaded a custom variant of Mimikatz onto a victim’s machine. This variant appears unique to Turla and has been packed using a custom packing routine that has been also used on a group’s dropper, but not on non-Turla tools.

“This is the first time Symantec has observed one targeted attack group seemingly hijack and use the infrastructure of another group. However, it is still difficult to ascertain the motive behind the attack. Whether Waterbug simply seized the opportunity to create confusion about the attack or whether there was more strategic thinking involved remains unknown,” Symantec concludes.

Related: Turla Uses Sophisticated Backdoor to Hijack Exchange Mail Servers

Related: Turla Backdoor Controlled via Email Attachments