A cyber-expedition campaign that includes the known ones Wipbot malware and Turla has systematically targeted governments and embassies in a number of countries of the former Eastern Bloc. The Trojan.Wipbot (or called Tavdig) consists of a back door which usesto facilitate identification of activity, before the attacker switches to long-term monitoring using Trojan.Turla (also known as Uroboros, Snake and Carbon). It is estimated that this combination of malware has been used in classic-type spying activities in the last 4 years. Due to the selected targets and the advanced malware used, Symantec believes that behind these attacks is a group that received state funding.
Turla offers the attacker powerful spying capabilities. Set to start every time the computer starts, once the user starts one Website browser, opens a back door that allows communication with attackers. Through this back door, attackers can copy files from the infected computer, erase files, and load and execute other malware, among other possibilities.
The team behind Turla is based on a two-pronged attack strategy that includes victim involvement through spear Phishing emails and watering hole attacks. Watering hole attacks have adequate exposure capabilities, with attackers attacking a series of legitimate websites and attacking only the victims who visit them from default IP addresses. These flawed websites carry the Trojan.Wipbot. It is very likely, that Wipbot is then used as downloader to carry Turla to the victim.
Victims
While the infections first appeared in a number of European countries, a deeper analysis revealed that several infections in Western Europe took place on computers connected to private networks of the former Eastern bloc countries. These infections occurred in the embassies of these countries.
Analysis of the infections revealed that the attackers had focused on a small number of countries. For example, in May of 2012, the office of the Prime Minister of a former Soviet Union member country was violated. This infection spread rapidly and more than 60 computers in the prime minister's office were compromised.
Another attack was made on a computer at the Embassy of France in another country belonging to the former Soviet Union, at the end of 2012. During 2013, the infection spread to other computers connected to the country's foreign ministry's network. The interior ministry also infected. Additional research has identified a systematic espionage campaign aimed at the diplomatic corps. Similar infections have been embroiled in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland and Germany.
At least five more countries in the region have been targeted by similar attacks. While the attackers mainly focused on the former Eastern Bloc, other targets were found. These include the Western European health ministry, a country's ministry of education in Central America, a state power authority in the Middle East, and a US healthcare provider.
Points of attack
The team behind Turla uses spear Phishing emails and watering hole-type attacks to infect her victims. Some of the spear Phishing emails It's supposed to have come from a military escort at an embassy in the Middle East and had an attached file that summed up a meeting. By opening the file, Trojan.Wipbot automatically entered the victim's computer. It is believed that Wipbot may be Turla's access mechanism, as they are similar in structure and code.
Since September of 2012, the team has breached at least 84 legitimate websites to facilitate watering hole attacks. Webpages belonging to different governments or international agencies were among those that were infringed by the attackers.
Picture1. Spear Phishing emails and watering attacks hole are used to infect the victims with Trojan.Wipbot, which can then be used to install the Trojan.Turla.
Turla
Η Symantec has identified the activities of the group that has created Turla for several years. The identity of the attackers has not yet been certified, although all activities associated with the attacks indicate that most attacks occur during a UTC + 4 time zone.
Trojan Turla is the evolution of an older malware Trojan.Minit, which had started its activity in 2004. Today's campaign is the result of a well-trained team, which is capable of penetrating a number of networks. It focuses on targets that would be of interest to government agencies, while its subject matter is espionage and subtheft sensitive data.
Detection
Η Symantec has the following tracking tools for the malware used in attacksς
AV
IPS
