A cyber-expedition campaign that includes the known ones malware Wipbot and Turla has systematically targeted governments and embassies in a number of countries of the former Eastern Bloc. The Trojan.Wipbot (or Tavdig) consists of a back door that is used to facilitate recognition of the activity before the attacker goes into long-term follow-up using Trojan.Turla (also known as Uroboros, Snake and Carbon). It is estimated that this combination of malware has been used in classic-type spying activities in the last 4 years. Due to the selected targets and the advanced malware used, Symantec believes that behind these attacks is a group that received state funding.
Turla offers the attacker powerful spying capabilities. Set to start every time the computer starts, once the user starts one Website browser, opens a back door that allows communication with the attackers. Through this back door, attackers can copy files from the infected computer, delete files, and load and execute other forms of malware, among other capabilities.
The team behind Turla is based on a two-pronged attack strategy that includes victim involvement through spear Phishing emails and watering hole attacks. Watering hole attacks have adequate exposure capabilities, with attackers attacking a series of legitimate websites and attacking only the victims who visit them from default IP addresses. These flawed websites carry the Trojan.Wipbot. It is very likely that Wipbot is then used as a downloader to transfer Turla to the victim.
Victims
While the infections first appeared in a number of European countries, a deeper analysis revealed that several infections in Western Europe took place on computers connected to private networks of the former Eastern bloc countries. These infections occurred in the embassies of these countries.
Analysis of the infections revealed that the attackers had focused on a small number of countries. For example, in May of 2012, the office of the Prime Minister of a former Soviet Union member country was violated. This infection spread rapidly and more than 60 computers in the prime minister's office were compromised.
Another attack was made on a computer at the Embassy of France in another country belonging to the former Soviet Union, at the end of 2012. During 2013, the infection spread to other computers connected to the network του υπουργείου εξωτερικών της συγκεκριμένης χώρας. Επίσης, μολύνθηκε και το υπουργείο εσωτερικών. Επιπλέον έρευνα εντόπισε μία συστηματική εκστρατεία κατασκοπείας που είχε ως στόχο το διπλωματικό σώμα. Παρόμοιες μολύνσεις είχαν υποστεί πρεσβείες στο Βέλγιο, στην Ουκρανία, στην Κίνα, στην Ιορδανία, στην Ελλάδα, στο Καζακστάν, στην Αρμενία, στην Πολωνία και στη Γερμανία.
At least five more countries in the region have been targeted by similar attacks. While the attackers mainly focused on the former Eastern Bloc, other targets were found. These include the Western European health ministry, a country's ministry of education in Central America, a state power authority in the Middle East, and a US healthcare provider.
Points of attack
The team behind Turla uses spear Phishing emails and watering hole-type attacks to infect her victims. Some of the spear Phishing emails It's supposed to have come from a military escort at an embassy in the Middle East and had an attached file that summed up a meeting. By opening the file, Trojan.Wipbot automatically entered the victim's computer. It is believed that Wipbot may be Turla's access mechanism, as they are similar in structure and code.
Since September of 2012, the team has breached at least 84 legitimate websites to facilitate watering hole attacks. Webpages belonging to different governments or international agencies were among those that were infringed by the attackers.
Picture1. Spear Phishing emails and watering attacks hole are used to infect the victims with Trojan.Wipbot, which can then be used to install the Trojan.Turla.
Turla
Η Symantec has identified the activities of the group that has created Turla for several years. The identity of the attackers has not yet been certified, although all activities associated with the attacks indicate that most attacks occur during a UTC + 4 time zone.
Trojan Turla is the evolution of an older malware Trojan.Minit, which was started by 2004. Today's campaign is the result of a well-trained team that is capable of penetrating a series of networks. It focuses on objectives that would be of interest to state actors, and its purpose is the spying and the interception of sensitive data.
Detection
Η Symantec has the following tools detection for the malware used in the attacksς
AV
IPS
