Primarily targeting Windows mail servers and web servers, the Turla group deploys specially-crafted phishing emails to compromise targets in attacks that deploy Neuron and Nautilus in conjunction with the Snake rootkit.
By using a combination of these tools, Turla is able to gain persistent network access on compromised systems, providing covert access to sensitive data or the ability to use the system as a gateway for carrying out further attacks.
Alterations to the dropper and loading mechanisms of Neuron are designed to avoid the malware being detected, allowing its malicious activities to continue without being interrupted.
One of the ways this is achieved is using an in-memory payload, which is encrypted within the loader to ensure it never touches the disk in plaintext. This modification allows Neuron to evade detection during disk scans performed by antivirus software, although the NCSC say it's "likely" that AV suites which scan memory will still uncover the payload.
The authors of Neuron have also altered the encryption of the new version, now configuring multiple hardcoded keys rather than just using one. Like many of the other changes, it's most likely these have been implemented to make detection and decryption by network defenders more difficult.
The Turla group moves quickly: the compile times contained within the code show that the new version of the malware was compiled just five days after previous warnings about Neuron were made public in November.
Advice by the NCSC for organisations that have previously been targeted by Turla is to "be diligent in checking for the presence of these additional tools".