Microsoft and the Ukraine Computer Emergency Response Team (CERT-UA) have issued a critical warning about the activities of the Turla hacking group, believed to be state-sponsored by Russia’s Federal Security Service (FSB). The group, which goes by aliases such as Secret Blizzard, KRYPTON, and UAC-0003, has long been associated with advanced persistent threats (APTs) against Western interests. The latest attacks specifically target the defense industry and Microsoft Exchange servers in Ukraine and Eastern Europe, raising concerns about cybersecurity and espionage in the region.
The modus operandi of these new attacks involves the use of phishing emails carrying Excel XLSM attachments containing malicious macros. When activated, these macros execute a PowerShell command, which creates a scheduled task that masquerades as a Firefox browser updater. However, instead of updating the browser, this task downloads and launches the DeliveryCheck backdoor, also known as CapiBar and GAMEDAY. The DeliveryCheck backdoor connects to the threat actor’s command and control server, enabling them to issue further commands and deploy additional malware payloads.
Notably, what sets DeliveryCheck apart from typical malware is its server-side component that turns a compromised Microsoft Exchange server into a command and control server for the attackers. To achieve this, the threat actors exploit the Desired State Configuration (DSC), a powerful PowerShell module utilized by administrators to create standardized server configurations and apply them automatically to multiple devices. In this attack, the DSC is abused to load a base64-encoded Windows executable, effectively transforming the Exchange server into a hub for distributing malware across the targeted network.
In response to the threat, Microsoft and CERT-UA have taken action, sharing malware samples with various cybersecurity companies to aid in detection. However, the initial report reveals a concerning statistic – only 14 out of 70 vendors on VirusTotal currently detect the submitted DeliveryCheck sample as malware. This low detection rate underscores the importance of timely updates to security software and the need for ongoing collaboration between cybersecurity experts and organizations.
These recent findings emphasize the persistent and advanced nature of the Turla hacking group’s activities, posing significant challenges for cybersecurity professionals and national security agencies. Organizations operating in the defense sector and utilizing Microsoft Exchange servers must remain vigilant and proactive in implementing robust security measures to safeguard their networks from potential threats. As cyber threats continue to evolve, international cooperation and information sharing among CERTs, security vendors, and law enforcement agencies are vital to effectively combat state-sponsored cyber-espionage and protect critical infrastructure.