Turla is also known as Snake, Uroburos, Waterbug and WhiteBear. After being disclosed by GData in 2014, Kaspersky, Symantec, and ESET continued to track and analyze the organization. The compilation time of the malicious files used by the group can be pushed back to as early as 2011. Dating back to 2006, the malicious file Agent.BTZ can be found to be associated with this organization. This conclusion is based on a comparison of code and functions. Therefore, it can be inferred that the organization has begun to carry out attacks as early as 2006.
The Turla team uses rootkit technology to monitor computers to achieve data theft. This method is very practical in early versions of Windows and can effectively hide in the computer and have higher permissions. Starting from Windows Vista, Microsoft has strengthened its control over the loading process of third-party drivers, requiring a certificate and user consent before it can be installed normally. Therefore, the Turla organization turned to a more complex intrusion process and implanted remote control software without rootkit kits to collect information, but this increased the chance of discovery.
Turla’s attack targets span government agencies, embassies, military institutions, educational research institutions and pharmaceutical companies. Originally disclosed following attacks on U.S. intelligence services. In recent years, the organization has targeted the servers of the German Foreign Ministry and French military-related companies and stolen a large amount of intelligence information.
After analyzing the malware used by the Turla organization, the following information was summarized:
1. The debug information output by the attacker when writing the malware is in English, but not in his native language;
2. The attacker’s infrastructure comes from Russia;
3. The default language used by the attacker is Russian;
4. Similar traces also appeared in Agent.BTZ .
Therefore, it is designated as a threat attack organization originating from Russia.
Turla organization's method of tearing apart defense equipment is through harpoon attacks and waterhole attacks using social engineering methods.
During the attack that was initially discovered, the attacker used a PDF file with a vulnerability and delivered it via email. Use social engineering techniques to lure users into clicking on the PDF file and forwarding it to colleagues or superiors. At the same time, there is also a malware installer with the ".SCR" extension in the attachment, which releases the RAR file and opens the built-in normal PDF file during installation.
Normal PDF file
There are also articles related to the epidemic attack published by Fuying Lab in April using similar attack methods. Detailed analysis.
Between 2010 and 2016, this organization has always used browsers to carry out attacks, including watering hole attacks and 0day vulnerabilities. The attacker implants the malicious JavaScript script identified in the figure below into the attack website. When the user visits the compromised website, the JavaScript script is executed.
After sorting, we have obtained all the websites that have been attacked and their names:
The above websites Sites used as waterhole attacks between 2014 and 2017. These sites were embedded with JavaScript code, which was executed when the user visited. Most of its functions were to obtain the browser's plug-in list, screen resolution and other information. At the same time, Turla will actively select users they are interested in when conducting attacks and deliver malicious files. The most important form is to use fake Adobe Flash installation packages to install backdoors.
Turla’s more distinctive attack method is to use Adobe to conduct attack and deception. This result is also related to the direction of capture. A considerable number of government websites rarely iterate and update quickly after they are built. Using a more advanced architecture, Adobe Flash, a plug-in with a large number of vulnerabilities, has been deeply integrated into these websites. Therefore, Adobe Flash-related attacks are never absent when it comes to catching relevant threats.
2.3 MITM traffic hijacking and modification
When the Turla organization carried out the attack, it hijacked Adobe's network through MITM (man-in-the-middle attack), causing users to replace the system when requesting to download the latest software update package. The user's download content downloads malware without the user being aware of it, and completes control of the target host. However, this approach requires gaining access to core routing and may require hacking at critical nodes in the enterprise or government.
However, the attack process observed on the user side is very simple. For example, the user accesses the following link, which belongs to Adobe and is a subdomain of Adobe, http://admdownload.adobe.com/ bin /live/flashplayer27_xa_install.exe, download the Turla malicious file through this link, but the referer field in the http header of the request is changed to:
http://get.adobe.com/flashplayer/download/?installer=Flash_Player,这个地址与正常下载Adobe的域名相同,协议不同。分析认为,这里是为了绕过Adobe检测机制而插入的referer信息,以便于能够正常访问到admdownload.adobe.com。
Turla组织常用RAT简析
在侵入内部网络后,Turla组织会对目标进行筛选,挑选出感兴趣的,具有高价值信息的目标,并在感染设备上投放恶意软件。从2011年起至今,Turla被发现针对Windows、Linux、MacOS平台均开发了对应的恶意软件,持续窃取机密信息。
该后门会对环境进行检测和处理,通过识别一些网络监测工具来判断是否可以执行,包括:tcpdump.exe、windump.exe、ethereal.exe、wireshark.exe、dsniff.exe。在与C2进行通信则采用了HTTP协议,通过对
The backdoor uses an ID to mark the victim. When communicating for the first time, it will send a data packet with computer information to C2, and use an encryption algorithm to encrypt the sent content, but the attacker The key is also transmitted in this way, so the traffic can be decrypted and analyzed.
When the Turla organization determines that the target is worthy of further attacks based on the return information, the attacker will deploy the second-stage backdoor on the target device. The first-stage backdoor can be understood as an attack test by the Turla organization. This method can effectively avoid downloading Uroburos to unrelated devices and reduce the risk of exposure.
Uroburos is the most famous backdoor. When Turla was first discovered, it was a rootkit backdoor extracted from the compromised device. In order to ensure the stealth and efficiency of the attack, the attacker also used an encrypted virtual file system while using the backdoor.
Uroburos ensures that it can continue to reside in the system by creating services. The following key value information can be found in the registry:
HKLM\System\CurrentControlSet\Services\Ultra3
The main functions of Uroburos are as follows:
l Key function hook
l Decrypt virtual file system
l Inject Ring3 layer
l C&C communication
l Packet capture
Inline hook
Uroburos uses Inline hook to modify key functions, such as:
ZwQueryKey(), ZwEnumerateKey (), ZwCreateKey() and ZwSaveKey() function hooks are used to hide persistent keys added to the registry.
The ZwReadFile() function hook is to hide its own file.
The ZwQuerySystemInformation() function hook is to hide the driver object.
The ZwTerminateProcess() function hook is to clean up the environment when it stops working and avoid problems such as blue screens.
Hook the ObOpenObjectByName() function to hide the virtual file system.
Partial hook function list
Uroburos provides two virtual file systems, NTFS and FAT32, to adapt to different situations. Device, through this virtual file system, attackers can store stolen data, hacking tools, or running log information that needs to be output in the system. By hooking the kernel function, it also prevents anti-virus software from finding the virtual file system. This improves concealment. At the same time, because it does not occupy the system disk, the perception on the user side is almost zero.
The virtual file system is encrypted using CAST-128. The key is hard-coded in the driver file and is decrypted when the driver is mounted and run. After decryption, the .bat script is stored in the file system. The script passes Use the net command to discover intranet machines and obtain basic information about machines in the LAN for use in lateral movement.
There is also a queue file in the file system. Each queue file contains a uid, type, timestamp and payload. The payload also includes a key for decryption. Analyzing other file capture records reveals that configuration files and other types of files may also be included.
Uroburos supports capturing traffic, modifying and intercepting data packets. It can handle HTTP, ICMP, and SMTP protocol traffic, and can obtain application layer transmission information through named pipes.
At the same time, the attacker has reserved interfaces to add new protocols and new methods to process traffic. The attacker achieves the purpose of continuous attacks by updating the files contained in the virtual file system.
Uroburos provides tcp, enc, np, reliable, frag, udp, m2d, doms, t2m, domc communication methods. You can see in the code that np, reliable, frag, enc, m2b, and m2d communicate through NamedPipe. Both tcp and udp construct data packets at the driver layer for communication.
The attacker will judge the value of the target in the early stage of the invasion. After arousing the attacker's interest, the attacker will implant the Carbon backdoor into the device. Carbon is a modular tool that achieves corresponding functions by replacing different plugins.
In the early captured Carbon sample, its plug-in module was placed in the resource section. The most important module is a module called carbon_system.dll, which has two exported functions, ModuleStart and ModuleStop. In the ModuleStart function, multiple mutexes are created to distinguish different module units, and a log file is created in the System\\ directory to record debug information generated during execution.
As the main functional module, carbon_system.dll will create a windows named pipe for communication between other modules, receive information obtained by other functional modules, and write it into a file, waiting for upload. carbon_system.dll obtains disk information through GetDiskFreeSpaceExA to monitor disk usage. When the disk is full, it will write "help information" to the log file to be uploaded to notify the attacker.
carbon_system.dll calls other modules through LoadLibrary, calls the start function to start, and records the startup time, module name and other information in the log.
It also collects process information running on the current device, monitors process changes, and records process information in log files. Similarly, pipes are still used for data transmission.
When carbon executes a task, it will read specific task information from the configuration file:
task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath | [execution_mode | username | password]
Each task has its own independent ID number, and additional parameters are used to specify the running mode and method.
carbon_system.dll is just like a control terminal. It is a systematically developed attack kit. You can add or delete modules at will. You only need to provide the corresponding export function to call it. Moreover, carbon_system.dll passes the monitoring Log information generated by different modules is used to determine whether the command was successfully executed, which also hides the attacker's activities to a certain extent.
In addition, Turla also provides a 64-bit version of carbon_system.dll for use in x64 environments. Cobra is the project name that can be seen in the PDB information which Turla did not remove in the 64-bit version..
f:\Workshop\Projects\cobra\carbon_system\x64\Release\carbon_system.pdb
However, the PDB information was not found in the x86 version. After the compilation was completed, the attacker There is no operation on the x64 version, and it is directly packaged into the loader file of carbon_system.
The difference between carbon v3.51 and the initial version mentioned in Section 4.3 lies in the communication part. In v3.51, it communicates with C2 through http requests Interact, and randomly fill in domain names such as www.yahoo.com, www.bbc.com, www.google.com, etc. to hide its own traffic. Part of the downloaded and obtained information is saved in \\\\. \\IdeDrive1\\\\Results\\result.txt file. The \\\\.\\IdeDrive1\\\\ directory mentioned here is the directory in the virtual file system.
In this version, the attacker has removed the monitoring function of disk files and no longer reports the storage status of the infected device to reduce the amount of data during information transmission. The acquisition of running processes is concentrated on tcpdump.exe, windump.exe, windump.exe, wireshark.exe, wireshark.exe, and snoop.exe. When such a process is discovered, a log will be recorded and returned:
Some debug information can be found in the v3.61 version of the carbon module, which is different from the previous version. What is surprising is that this time the debug information is retained in the malicious file of the x86 architecture and has not been cleaned:
The loader part of the backdoor will first perform self-decryption to obtain the code. Find the address of the function to be called by calculating the hash value of the function name, taking the decrypted code as an example. These two functions are not stored encrypted, and their codes can be directly seen through tools such as IDA. The self-decryption function is sub_5711E0, and the hash calculation function is sub_570E10. After completing the import of the function, read the data from its own file and decrypt it. The decryption function is sub_56D480. After decryption, there are two PE files and written to the disk.
The log content is written to the file %APPDATA%\Roaming\kb6867.bin.
The released file contains the main backdoor program, which is loaded through the loader. During execution, the EAT table is modified to add functions for export, and the original export table is modified.
The replaced function first decrypts the encrypted library file name and function name, and obtains the function address through dynamic loading, and then creates a file named \\. \pipe\ms32loc named pipe, then create a thread and wait for other processes to connect. This backdoor writes some basic configuration information by setting registry keys. When recording information in the registry, please use the following path: HKCU\Software\Microsoft\[dllname], and fill in the corresponding information
4.6 The second stage backdoor - Javascript backdoor
The first JavaScript is used to replace the Mosquito backdoor and is installed using a fake Adobe Flash Player installation package.
Get the returned data and decode it with base64.
The second JavaScript file reads %programdata%\1.txt and executes its contents using the eval function. Add local_update_check in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to start at boot.
This backdoor spreads through documents and uses macros to attack. In the macro code, debugging can find that the initial code decrypts the data through the xor algorithm. The final data is written into the mailform.js file, and the released file is stored in the %APPDATA%\Microsoft\Windows path:
Execute the mailform.js file and pass in the parameters NPEfpRZ4aqnh2YuGwQd0, this parameter is the R** key, responsible for decrypting the built-in data. After decoding, it is still a JavaScript file, which is the KopiLuwak backdoor.
Move your own files to different folders according to different system versions:
c:\Users\
c:\Users\
c:\Documents and Settings\
Completes persistence by setting the registry HKEY_CURRENT_USER\software\microsoft\windows\ccurrentversion\run\, the key value is wscript.exe mailform.js "NPEfpRZ4aqnh2YuGwQd0".
Execute the following command through cmd.exe, and write the result to the ~dat.tmp file in the same directory as mailform.js, and use the R** algorithm to encrypt the result, the key is "2f532d6baec3d0ec7b1f98aed4774843 ”, delete the original file after encryption:
systeminfo
net view
net view /domain
tasklist /v
gpresult / z
netstat -nao
ipconfig /all
arp -a
net share
net use
net user
net user administrator
net user /domain
net user administrator /domain
set
dir %systemdrive%Users* .*
dir %userprofile%AppDataRoamingMicrosoftWindowsRecent*.*
dir %userprofile�sktop*.*
tasklist /fi “modules eq wow64.dll”
tasklist /fi “modules ne wow64.dll”
dir “%programfiles(x86)%”
dir “%programfiles%”
dir %appdata%
The backdoor has two built-in addresses: http://soligro.com/wp-includes/pomo/db.php, http://belcollegium.org/wp-admin/includes/class-wp-upload -plugins-list-table.php, used for communication. It can be inferred from the path that the second website uses WordPress and was compromised by the attacker for C2 hosting.
Use the POST method to send the aforementioned encrypted data to either of these two websites. In addition to filling the User-Agent field sent with "Mozilla/5.0 (Windows NT 6.1; Win64; x64); At the end, a UID generated by the current computer name is added. The algorithm is as follows, where zIRF represents the string "KRMLT0G3PHdYjnEm" and Vxiu represents the current computer user name: 
After receiving the data, C2 will reply four Type of command:
When the work command is received, all the collected information will be sent back to C2. When the fail command is received, the registry HKEY_CURRENT_USER\software\microsoft\windows\ccurrentversion\run will be cleared. \Data in.
Turla organization is one of the organizations currently using the most complex attack tools among APT groups. Its targets cover the foreign ministries and militaries of European countries, Europe, America, etc. The country’s intelligence department. In its early attack operations, the organization used its self-developed weapons to launch attacks. These weapons have obvious characteristics. In recent years, the organization has turned to large-scale use of open source platforms, such as MSF, cobalt Backdoors, intrusion attacks, lateral movement tools, etc. built by strike etc. cover their actions in a large number of attack activities in order to obtain more intelligence information and delay the time of discovery and detection.
At the same time, the Organizations are good at using waterhole websites to penetrate targets and are not easily discovered for a long time. Therefore, the organization's defense should focus on web page access records and check for government and basic websites with forged domain names to reduce the risk of Risk of being attacked.
The above is the detailed content of What is the Turla organization?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
