The cybersecurity researchers of ESET has identified an undocumented backdoor and document stealer that was dubbed as “Turla Crutch” by its founder. The main motive of the threat actor is to attribute to the ill-famed Russian hacker group Turla.
The experts reported that this backdoor was used from 2015 to early 2020. Researchers noted that this malware family is the only one that has been used against a very common target, which is quite common for Turla tools.
Moreover, the experts have also seen Crutch on the system of a Ministry of Foreign Affairs in a country of the European Union. The cybersecurity researchers of ESET were responsible for finding a link in the 2016 dropper for this malware. There has been a second-stage backdoor, which is the cyber-espionage group that was being used in 2016-2017.
Similarities
According to the report, there are some similarities that have been found in this malware:-
- Both samples were withdrawn at C:Intel~intel_upd.exe on a similar machine with a five-day interim in September 2017.
- Both samples leave CAB files carrying several malware components.
- The loaders, dumped by the aforementioned samples, share precisely related PDB paths:
- C:UsersuserDocumentsVisual Studio 2012ProjectsMemoryStarterReleaseExtractor.pdb and
- C:UsersuserDocumentsVisual Studio 2012ProjectsMemoryStarterx64ReleaseExtractor.pdb
- The loaders decrypt their payloads, utilizing the same RC4 key:
- E8 8E 77 7E C7 80 8E E7 CE CE CE C6 C6 CE C6 68
Espionage Activity
In several machines of the Ministry of Foreign Affairs in the European Union, Turla has been using the Crutch toolset. All these tools were created to exfiltrate all tender documents and some other files to the Dropbox account of Turla controlled by the operators.
After capturing all the operators’ commands, the experts stated that the main malicious activity is the staging, compression, and exfiltration of documents and several other files. However, these commands are not that clear, as they do not show the automated collection of documents.
Working Hours of The Operators
After keeping a continuous eye on every command and steps of the operators, the experts got the idea of the working hours of the operators. The experts calculated the hours at which they uploaded ZIP files to the Dropbox accounts they operate.
These ZIP files carry the commands for the backdoor, and they are uploaded to Dropbox by the operators in a synchronized manner from when the backdoor interprets and administers their content. This helps to understand the working hours of the operators.
Malware Delivery
In the malware delivery, the initial process is that the first-stage insert a Skipper. However, in 2017, the experts noticed a Crutch extended a few months after Skipper negotiated the computer.
On the second method, experts have witnessed the use of PowerShell Empire. However, the experts could not reveal how the ill-disposed script appeared on the machine, but they affirmed that it took place through another implant.
Crutch Version 1 to 3 and 4
From 2015 to mid-2019, the malware design has been used as a backdoor broadcasting with Dropbox and a drive monitor without network skills. These versions include a backdoor that interacts with a hardcoded Dropbox account utilizing the official HTTP API. And it can also administer basic commands such as reading and writing files.
While version 4 was found In July 2019, it was a new Crutch version, and the experts believe it has emerged enough to qualify as version 4. The latest version is an updated version of the removable-drive monitor with networking skills.
The cybersecurity experts are still trying their best to find all the details regarding this malware. But, Crutch points out that the group is not inadequate of new or currently undocumented backdoors.
You can follow us on Linkedin, Twitter, Facebook for daily Cyber security and hacking news updates.
.webp "“Mobile NotPetya”!! Surge in Zero-click Vulnerabilities, Conditions Favour"){kind=small}
.webp "Poisoned Google Ads Targeting Infra Teams with Weaponized IP Scanners"){kind=small}
