Turla backdoors compromise European government foreign offices

The backdoors are told what to do and what to steal by email.

ESET researchers tracking a notorious backdoor and cyberespionage campaign have warned that the list of government victims is far longer than previously thought -- and at least two new European offices have succumbed.

The backdoor is the work of an advanced persistent threat (APT) group known as Turla. Turla has previously been linked to the Gazer malware family, which has been used against various government and diplomatic bodies in Europe before.

Gazer was connected to watering hole attacks and spear-phishing campaigns targeting government entities and diplomats for the purpose of cyberespionage.

In 2017, Turla was also connected to a backdoor implanted in Germany's Federal Foreign Office, where it was used to siphon confidential government information over the majority of the year.

Turla is believed to originate from Russia and has been active since at least 2008. Now, it seems the APT is ramping up its efforts and has leveraged the same backdoor against the foreign offices of two other European countries.

In addition, an unnamed major defense contractor has also become a victim of the threat actors.

The backdoor used in these campaigns was created in 2009 and since then has undergone a number of radical changes. Stealthy, able to avoid detection for long periods of time, and recently upgraded to execute malicious PowerShell scripts directly in computer memory, the malware has now earned a "rare degree of stealth and resilience," according to ESET.

Turla's malware, which is a Dynamic Link Library (DLL) module, maintains persistence by tampering with the Windows registry. In a technique known as "COM object hijacking," the backdoor will automatically respawn when Microsoft Outlook is opened.

The malware has most recently targeted users of Microsoft Outlook. However, the software itself is not used as an attack vector; rather, the malware attempts to subvert Microsoft Outlook's legitimate Messaging Application Programming Interface (MAPI) to infiltrate victim inboxes.

See also: Guns are already on UK streets. 3D printing could make things far worse.

An interesting element of this backdoor is how Turla chooses to control it. The majority of malware makes use of command-and-control (C&C) centers to issue commands, but in this case, crafted .PDF files sent to compromised email inboxes send the operational commands.

When a victim receives an email, the malware generates a log which contains information about the message, including the sender, recipient, subject, and attachment names. This data is then regularly bundled up and sent to the Turla APT via a .PDF document.

However, the threat group is careful to only send these emails during standard working hours to prevent arousing suspicion. All email notifications are also blocked from view.

TechRepublic: Top 5: Risks of encryption backdoors

"The compromised machine can be instructed to carry out a range of commands," ESET researchers said. "Most importantly, these include data exfiltration, as well as the downloading of additional files and the execution of additional programs and commands. Data exfiltration itself also takes place via .PDF files."

The backdoor is what the researchers call "operator-agnostic," which means that the malicious code will accept commands from anyone able to encode them into a crafted .PDF.

This may be a technique used to prevent the collapse of malware operations in cases where malicious C&C centers are seized by cybersecurity teams or law enforcement.

CNET: Congress introduces bill to block government encryption backdoors

Turla is the only group known to the researchers which use email-based command systems and the case reveals just how innovative APT groups can be when valuable political information is up-for-grabs.

ZDNet has reached out to ESET with additional queries and will update if we hear back.

Previous and related coverage