Turla Turns PowerShell Into A Weapon In Attacks Against EU Diplomats

Attacks have dropped dramatically since 2015: Is hacktivism dead? Hacktivist scene collapses as Anonymous hacker collective dies a slow death.

A cyberespionage group believed to be from Russia is once again striking political targets, and this time, PowerShell scripts have been weaponized to increase the power of their attacks.

Turla, also known as Snake or Uroburos, has been active since at least 2008. The advanced persistent threat (APT) group was previously linked to a backdoor implanted in Germany's Federal Foreign Office for the purposes of data exfiltration in 2017, alongside attacks against the US military, a defense contractor, and a variety of European government entities.

The Russian hacking group is rarely quiet for long, and now, the APT has returned with a fresh wave of attacks against diplomatic entities in Eastern Europe.

screenshot-2019-05-30-at-11-52-23.png

Previous attacks believed to be the work of Turla.

Kaspersky Labs

According to researchers from ESET, Turla has recently employed PowerShell scripts. The scripts allow "direct, in-memory loading and execution of malware executables and libraries," the team says, which can also help them circumvent discovery on victim machines when a malicious executable is dropped on to a disk.

The use of PowerShell is not completely foreign to Turla. Last year, Kaspersky Labs said the APT was experimenting with PowerShell in-memory loads to bypass security protections, in the form of a customized open-source PoshSec-Mod system.

Turla's loader was based on the legitimate PoshSec-Mod software, but in 2018, the custom code was considered flawed and would often crash due to bugs.

ESET says that now, a year later, it seems most of the cracks in the system have been smoothed over.

Turla has now improved its use of PowerShell and is using scripts to load an array of malware. However, the scripts in question are not considered simple droppers as they are able to "persist on the system as they regularly load into memory only the embedded executables," according to ESET.

The PowerShell loader uses both a Windows Management Instrumentation (WMI) event subscription and alters the PowerShell profile (profile.ps1 file) to maintain persistence on an infected system.

In total, two WMI event filters and two WMI event consumers are created, of which the consumers are simple command lines to load PowerShell into the Windows registry.

See also: Cybersecurity 101: Protect your privacy from hackers, spies, and the government

When it comes to decrypting payloads stored in the registry, the 3DES algorithm is used. Once decrypted, a PowerShell reflective loader then comes into play.

"The executable is hardcoded in the script and is loaded directly into the memory of a randomly chosen process that is already running on the system," the researchers say.

However, the selection process is not completely random as some processes, including avp.exe, avpsus.exe, klnagent.exe and vapm.exe, are excluded. These processes specifically refer to legitimate Kaspersky anti-virus protection software, which may indicate exclusion to avoid detection.

In some samples, ESET also found that Turla's PowerShell script had been modified to bypass the Antimalware Scan Interface (AMSI), a Windows feature which permits the OS to integrate with antivirus products. Ithe script is also able to patch the AmsiScanBuffer process, which prevents the antivirus product from being able to perform any malware scans.

TechRepublic: How WannaCry is still launching 3,500 successful attacks per hour

The PowerShell loader is used to launch malware including a backdoor based on the RPC protocol which is able to exfiltrate data, facilitates the execution of commands, and support plugins for additional malware modules.

"Many variants of this RPC backdoor are used in the wild," ESET says. "Among some of them, we have seen local proxies (using upnprpc as the endpoint and ncalrpc as the protocol sequence) and newer versions embedding PowerShellRunner to run scripts directly without using powershell.exe."

A PowerShell backdoor is also available for download. Known as PowerStallion, the lightweight backdoor uses cloud storage -- such as Microsoft OneDrive -- as a form of command-and-control (C2) server. The researchers believe the backdoor is included as a recovery access tool for the major Turla backdoor.

CNET: Amazon's new Alexa features put more emphasis on privacy

Earlier this month, the company discovered the existence of another major backdoor used by Turla. Dubbed LightNeuron, the malware has been specifically designed for Microsoft Exchange email servers and works as a mail transfer agent (MTA).

ESET says that while the PowerShell scripts have been used against political targets in Eastern Europe, the cybersecurity firm believes "the same scripts are used more globally against many traditional Turla targets in Western Europe and the Middle East."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0