ESET researchers analyzed the cyber team's new toolsespionageς Turla, που βασίζονται στο PowerShell. Τα εργαλεία αυτά είναι πιο ανθεκτικά στις attacks and exhibit improved detection mechanism avoidance functions.
The famous APT group (Advanced Persistent Threat), also known as Snake, recently started using PowerShell scripting, which can directly download and "run" malware executables and libraries.
Using PowerShell-based tools, Turla cybercriminals can bypass the detection techniques that are activated when a malicious executable file appears on a disk.
Turla is a well-known cyber espionage team, which stands out for the use of complex malware in its attacks.
Its actions are believed to date back to at least 2008, when US military systems were breached. It is also involved in serious attacks on many government agencies in Europe and the Middle East - including the German Foreign Ministry and the French Army.
Recently, ESET researchers have identified a number of attacks using PowerShell programming scenarios against diplomatic missions in Eastern Europe. "These are probably the same scenarios that Turla uses against other global targets," said ESET researcher Matthieu Faou, who led the study.
ESET researchers have published one article με τα αποτελέσματα της ανάλυσής τους για τα σενάρια του PowerShell που χρησιμοποιεί η ομάδα Turla, ώστε να βοηθήσουν στην αντιμετώπιση των επιθέσεων. «Εκτός από το νέο loader του PowerShell που χρησιμοποιεί η Turla, ανακαλύψαμε και αναλύσαμε διάφορα ενδιαφέροντα φορτία, όπως ένα backdoor που βασίζεται σε πρωτόκολλο RPC και ένα PowerShell backdoor, που χρησιμοποιεί το OneDrive, την υπηρεσία αποθήκευσης cloud της Microsoft, ως διακομιστή Command and Control», λέει ο Faou.
PowerShell loaders, which, when detected, are classified by ESET under the generic name PowerShell/Turla, stand out from common droppers due to their ability to remain on the system, regularly loading into μνήμη only the embedded executables.
In some samples, the Turla cybercriminals had modified PowerShell scripts to bypass the Antimalware Scan Interface (AMSI). This n technique, η οποία ανακαλύφθηκε πρώτη φορά στο συνέδριο Black Hat Asia 2018, έχει ως αποτέλεσμα να μην μπορεί το antimalware προϊόν να λάβει δεδομένα από το AMSI για σάρωση.
"However, these techniques do not prevent the detection of real malicious charges in memory," explains Matthieu Faou.
Among the malicious cargoes recently used by Turla, two stand out. One is a whole set of backdoor based RPC protocols. These backdoors are used to perform sideways movement and take control of other machines on the local network without relying on an external C&C server. Also of interest is PowerStallion, a lightweight PowerShell backdoor that uses Microsoft's OneDrive cloud storage service as a Command & Control server.
"We believe this backdoor is a tool to regain access in the event that Turla's main backdoors are removed and cybercriminals can no longer access the compromised computers," said Matthieu Faou.
ESET researchers continue to closely monitor the APT Turla team and other similarly important teams, researching their methods, tactics and procedures to help organizations protect their networks.
More details can be found in the relevant article on ESET's blog, WeLiveSecurity.com.
____________________
- Mageia 7 RC with Linux kernel 5.1.5 and KDE Plasma 5.15.4
- Google, WhatsApp, and Apple slap at GCHQ
- The Honda electric car brings the exterior mirrors in