Cyber-espionage campaign opens backdoor to steal documents from infected PCs

Researchers at security company ESET detail Crutch, a malware backdoor implanted onto the systems of a European foreign ministry by the Kremlin-linked Turla hacking group.
Written by Danny Palmer, Senior Writer

A cyber-espionage campaign is targeting the foreign ministry of a country in the European Union with the aid of a previously undocumented form of malware that provides a secret backdoor onto compromised Windows systems.

Uncovered by cybersecurity researchers at ESET, the tools are designed to steal sensitive documents and other files by secretly exfiltrating them via Dropbox accounts controlled by the attackers.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

Dubbed Crutch by its developers, this malware campaign has been active from 2015 through to 2020 and researchers have linked it to the Turla hacking group, due to similarities with previously uncovered Turla campaigns such as Gazer. The working hours of the group also coincide with UTC+3, the timezone that Moscow sits in. The UK's National Cyber Security Centre (NCSC) is among those organisations that has attributed Turla – also known as Waterbug and Venomous Bear – to Russia. 

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)   

The newly detailed Crutch campaign appears tailored towards very specific targets with the aim of stealing sensitive documents. ESET hasn't revealed any specifics about the target, aside from that it was a ministry of foreign affairs in an EU country. This targeting fits in with previous Turla campaigns.

However, Crutch isn't a first-stage payload and is only deployed after cyber attackers have already compromised the target network – something that similar campaigns to this have achieved by using specially crafted spear-phishing attacks.

Once Crutch is installed as a backdoor on the target system, it communicates with a hardcoded Dropbox account that it uses to retrieve files while remaining under the radar because Dropbox is able to blend into normal network traffic.

Analysis of the backdoor indicates that it has repeatedly been updated and changed over the years in order to maintain effectiveness while also keeping hidden.

"The main malicious activity is exfiltration of documents and other sensitive files. The sophistication of the attacks and technical details of the discovery further strengthen the perception that the Turla group has considerable resources to operate such a large and diverse arsenal," said Matthieu Faou, malware researcher at ESET.

SEE: Ransomware victims aren't reporting attacks to police. That's causing a big problem

However, despite the persistent nature of the attack by what's regarded as a sophisticated hacking operation, there's still some relatively simple security measures that organisations can apply to avoid falling victim to this or many other forms of cyberattack.

"During this investigation, we noticed that attackers were able to move laterally and compromise additional machines by reusing admin passwords," said Fauo.

"I believe that limiting lateral movement possibilities would greatly make the life of attackers harder. It means preventing users being able to run as admin, using two-factor authentication on admin accounts, and using unique and complex passwords," he added.


Editorial standards