Rewterz Threat Alert – Russian State-Sponsored Turla Hacking Group Launches Targeted Attacks – Active IOCs

Severity

High

Analysis Summary

Microsoft and the Ukraine Computer Emergency Response Team (CERT-UA) have issued a critical warning about the activities of the Turla hacking group, believed to be state-sponsored by Russia’s Federal Security Service (FSB). The group, which goes by aliases such as Secret Blizzard, KRYPTON, and UAC-0003, has long been associated with advanced persistent threats (APTs) against Western interests. The latest attacks specifically target the defense industry and Microsoft Exchange servers in Ukraine and Eastern Europe, raising concerns about cybersecurity and espionage in the region.

The modus operandi of these new attacks involves the use of phishing emails carrying Excel XLSM attachments containing malicious macros. When activated, these macros execute a PowerShell command, which creates a scheduled task that masquerades as a Firefox browser updater. However, instead of updating the browser, this task downloads and launches the DeliveryCheck backdoor, also known as CapiBar and GAMEDAY. The DeliveryCheck backdoor connects to the threat actor’s command and control server, enabling them to issue further commands and deploy additional malware payloads.

Notably, what sets DeliveryCheck apart from typical malware is its server-side component that turns a compromised Microsoft Exchange server into a command and control server for the attackers. To achieve this, the threat actors exploit the Desired State Configuration (DSC), a powerful PowerShell module utilized by administrators to create standardized server configurations and apply them automatically to multiple devices. In this attack, the DSC is abused to load a base64-encoded Windows executable, effectively transforming the Exchange server into a hub for distributing malware across the targeted network.

Once the devices are infected, the Turla group employs the DeliveryCheck backdoor to exfiltrate data using the Rclone tool. Moreover, during the attack, the hackers deploy the KAZUAR information-stealing backdoor, which is a highly sophisticated tool designed for cyber espionage. KAZUAR allows the attackers to execute JavaScript on the compromised devices, collect data from event logs and system files, and harvest authentication tokens, cookies, and credentials from a wide array of programs, including browsers, FTP clients, VPN software, KeePass, Azure, AWS, and Outlook. Of particular concern is the attackers’ focus on exfiltrating files containing messages from the popular Signal Desktop messaging application, potentially granting them access to private Signal conversations, sensitive documents, images, and archive files.

In response to the threat, Microsoft and CERT-UA have taken action, sharing malware samples with various cybersecurity companies to aid in detection. However, the initial report reveals a concerning statistic – only 14 out of 70 vendors on VirusTotal currently detect the submitted DeliveryCheck sample as malware. This low detection rate underscores the importance of timely updates to security software and the need for ongoing collaboration between cybersecurity experts and organizations.

These recent findings emphasize the persistent and advanced nature of the Turla hacking group’s activities, posing significant challenges for cybersecurity professionals and national security agencies. Organizations operating in the defense sector and utilizing Microsoft Exchange servers must remain vigilant and proactive in implementing robust security measures to safeguard their networks from potential threats. As cyber threats continue to evolve, international cooperation and information sharing among CERTs, security vendors, and law enforcement agencies are vital to effectively combat state-sponsored cyber-espionage and protect critical infrastructure.

Impact

• Information Theft and Espionage
• Exposure to Sensitive Data

Indicators of Compromise

URL

• https://www.adelaida.ua/plugins/vmsearch/wp-config-plugins.php
• https://www.adelaida.ua/plugins/vmsearch/wp-config-themes.php
• https://www.adelaida.ua/plugins/vmsearch/wp-file-script.js
• https://atomydoc.kg/src/open_center/
• https://aleimportadora.net/images/slides_logo/
• https://octoberoctopus.co.za/wp-includes/sitemaps/web/
• https://sansaispa.com/wp-includes/images/gallery/
• https://www.pierreagencement.fr/wp-content/languages/index.php
• https://mail.aet.in.ua/outlook/api/logon.aspx
• https://mail.kzp.bg/outlook/api/logon.aspx
• https://mail.numina.md/owa/scripts/logon.aspx
• https://mail.aet.in.ua/outlook/api/logoff.aspx
• https://mail.arlingtonhousing.us/outlook/api/logoff.aspx
• https://mail.kzp.bg/outlook/api/logoff.aspx
• https://mail.lebsack.de/

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Conduct regular security awareness training to educate employees about phishing threats and safe email practices.
• Enable multi-factor authentication (MFA) to strengthen account security and prevent unauthorized access.
• Implement robust email filtering mechanisms to identify and block phishing emails, reducing the risk of malware delivery.
• Ensure timely updates and patches for all software, including Microsoft Exchange servers, to address known vulnerabilities.
• Segregate critical systems and sensitive data from the rest of the network through network segmentation to limit lateral movement.
• Deploy comprehensive endpoint protection solutions to detect and block malware and ransomware, safeguarding devices from compromise.
• Collaborate with cybersecurity organizations and law enforcement agencies to share threat intelligence and stay informed about emerging threats.
• Develop and regularly update an incident response plan to efficiently handle cyber attacks, reducing downtime and minimizing the impact of a breach.