Turla durable tools bypass detection mechanisms

ESET researchers have analyzed the new tools of the PowerShell-based Turla cyber espionage team. These tools are more resistant to attacks and show improved detection functions of the detection mechanisms.

The famous Advanced Persistent Threat (APT) group, also known as Snake, has recently started using PowerShell scripts, which can directly download and "run" executables and libraries .

Using PowerShell-based tools, Turla cybercriminals can bypass the detection techniques that are activated when a malicious executable file appears on a disk.

Turla

Turla is a well-known cyber espionage team, which stands out for the use of complex malware in its attacks.

Its actions are believed to date back to at least 2008, when US military systems were breached. It is also involved in serious attacks on many government agencies in Europe and the Middle East - including the German Foreign Ministry and the French Army.

Recently, ESET researchers detected several attacks using PowerShell scripting against diplomatic organizations in Eastern Europe. "These are likely the same scripts that Turla uses against its other targets globally," says ESET researcher Matthieu Faou, who conducted the s.

ESET researchers have published one article με τα αποτελέσματα της ανάλυσής τους για τα σενάρια του PowerShell που χρησιμοποιεί η ομάδα Turla, ώστε να βοηθήσουν στην αντιμετώπιση των επιθέσεων. «Εκτός από το νέο loader του PowerShell που χρησιμοποιεί η Turla, ανακαλύψαμε και αναλύσαμε διάφορα ενδιαφέροντα φορτία, όπως ένα backdoor που βασίζεται σε RPC και ένα PowerShell backdoor, που χρησιμοποιεί το OneDrive, την υπηρεσία αποθήκευσης cloud της Microsoft, ως διακομιστή Command and Control», λέει ο Faou.

PowerShell loaders, which, when detected, are classified by ESET under the generic name PowerShell / Turla, stand out from the common droppers for their ability to remain in the system, as they regularly load into memory only the built-in executable files.

In some samples, Turla cybercriminals had modified PowerShell scripts to bypass AMSI (Antimalware Scan Interface). This technique, first discovered at the Black Hat Asia 2018 conference, prevents the antimalware product from receiving data from AMSI for scanning.

"However, these techniques do not prevent the detection of real malicious charges in memory," explains Matthieu Faou.

 Among the malicious payloads used by Turla recently, two stand out. One is a whole set of backdoors based on the RPC protocol. These backdoors are used to perform lateral και να παίρνουν τον έλεγχο άλλων μηχανών στο τοπικό δίκτυο χωρίς να βασίζονται σε εξωτερικό διακομιστή C&C. Επίσης ενδιαφέρον παρουσιάζει το PowerStallion, ένα ελαφρύ PowerShell backdoor, που χρησιμοποιεί την υπηρεσία αποθήκευσης cloud της Microsoft, OneDrive, ως διακομιστή Command & Control.

 "We believe this backdoor is a tool to regain access in the event that Turla's main backdoors are removed and cybercriminals can no longer access the compromised computers," said Matthieu Faou.

ESET researchers continue to closely monitor the APT Turla team and other similarly important teams, researching their methods, tactics and procedures to help organizations protect their networks.

More details can be found in the relevant article on ESET's blog, WeLiveSecurity.com.

____________________

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).