Details Emerge on Espionage Campaign

Monday, August 11, 2014 @ 07:08 PM gHale

Epic Turla, targeted intelligence agencies, government institutions, embassies, military groups, education institutions, and research and pharmaceutical companies in over 45 countries, researchers said.

Turla, also known as Snake or Uroburos, is one of the most sophisticated ongoing cyber-espionage campaigns, said researchers at Kaspersky Lab.

Bad Guys Use Govt. Quality Malware
After Takedown, Botnet Returns
Global Malware Infrastructure Seized
Takedown Bonus: APT Attackers Hurt

Earlier research by G-Data published in February didn’t address how victims ended up infected.

Kaspersky Lab researchers believe Epic Turla is the first of many malicious components used by the Turla/Uroburos cyber-espionage campaign to compromise the victim and take full control of the infected system, said Kurt Baumgartner, a researcher at Kaspersky Lab.

Research found the cyber-espionage campaign has three distinct parts, with Epic Turla as the early-stage infection mechanism, and Cobra Carbon system/Pfinet and others as intermediary components upgrading functionality and communications capabilities. Snake is the “high-grade” malware platform, which included a rootkit and virtual file systems, Baumgartner said.

Attackers behind Epic Turla used Zero Day exploits, spear-phishing emails, and watering hole tactics to infect victims, Baumgartner said. Zero Day exploits include one triggering an escalation of privileges flaw in Windows XP and Windows Server 2003 (CVE-2013-5065) and another targeting Adobe Reader (CVE-2013-3346).

The escalation of privileges exploit gives the Epic malware administrator privileges on the infect system and the Reader exploit affects how email attachments end up viewed, Baumgartner said. While Kaspersky Lab has uncovered the malicious PDF files, researchers have not yet been able to track down the attack emails themselves.

More than 100 injected websites delivered Epic Turla, with the largest number of sites in Romania, Baumgartner said.

Detected attacks in this campaign include spear phishing emails targeting Adobe Reader, social engineering tricks to install malware from files with the .SCR extension, and watering hole attacks that convince users into running fake Flash Player installers or using exploits for Java, Adobe Flash, or Internet Explorer 6,7, and 8.

When examining victim IP addresses, Kaspersky researchers found the majority of the victims were in Europe and the Middle East, with France, United States, and Iran topping the list. Several hundred victim IP addresses distributed across 45 different countries, including Russia, Belarus, Germany, Romania, Poland, Netherlands, Kazakhstan, and Saudi Arabia.

“Epid” targeted individuals in government entities, such as the Ministry of Interior, Ministry of Trade and Commerce, Ministry of Foreign/External affairs, and intelligence agencies, as well as embassies, military groups, research and education organizations and pharmaceutical companies. The C&C redirects to a currently suspended page, but is still online, Baumgartner said.

Once Epic infects a machine, the malware connects to a command-and-control server and sends information about the victim machine. The C&C then sends an array of backdoors and exploits specific to the software installed on the machine. Kaspersky said Epic attempted to download a sophisticated backdoor known as Cobra/Carbon (or Pfinet) and update Carbon’s configuration file with information about different C&C servers.

“The Epic Turla is used to gain a foothold and validate the high profile victim. If the victim is interesting, it gets upgraded to the full Turla Carbon system,” said Costin Raiu, director of global research and analysis at Kaspersky Lab.

The attackers behind Turla are clearly not native English speakers. They commonly misspell words and expressions, such as:
• Password it’s wrong!
• File is not exists
• File is exists for edit

There are other indications which provide a hint at the origin of the attackers, researchers said. For instance, some of the backdoors compiled on a system with Russian language. Additionally, the internal name of one of the Epic backdoors is “Zagruzchik.dll,” which means “bootloader” or “load program” in Russian.

The Epic mothership control panel sets the code page to 1251, which sees use for Cyrillic characters.

Click here for more details on Epic Turla.

Leave a Reply

You must be logged in to post a comment.