Security firm Kasperky Lab, which uncovered the first cyberweapons in 2012, said Turla, also known as Snake or Uroburos, is one of the most sophisticated ongoing cyber-espionage campaigns.
The latest Kaspersky Lab research on this operation reveals that “Epic” is the initial stage of the Turla victim infection mechanism.
The ?Epic? project has been used since at least 2012, with the highest volume of activity observed in January-February 2014. Most recently, Kaspersky Lab detected this attack against one of its users on August 5, 2014.
Targets of ?Epic? belong to the following categories: government entities (Ministry of Interior, Ministry of Trade and Commerce, Ministry of Foreign/External affairs, intelligence agencies), embassies, military, research and education organizations and pharmaceutical companies.
Most of the victims are located in the Middle East and Europe, however, there are victims in other regions as well, including in the USA.
In total, Kaspersky Lab experts counted several hundred victim IPs (Internet Protocols) distributed in more than 45 countries, with France at the top of the list.
Kaspersky Lab?s researchers discovered that the Epic Turla attackers use zero-day exploits, social engineering, and watering hole techniques attacks to infect victims.
In the past, they used at least two zero-day exploits: one for Escalation of Privileges (EoP) in Windows XP and Windows Server 2003 (CVE-2013-5065) which allows the Epic backdoor to achieve administrator privileges on the system and run unrestricted; and an exploit in Adobe Reader (CVE-2013-3346) that is used in malicious e-mail attachments.
Whenever an unsuspecting user opens a maliciously-crafted PDF file on a vulnerable system, the machine will automatically get infected, allowing the attacker to gain immediate and full control over the target system.
The attackers use both direct spear-phishing e-mails and watering hole attacks to infect victims. The attacks detected in this operation fall into several different categories depending on the initial infection vector used in compromising the victim:
? Spear-phishing e-mails with Adobe PDF exploits (CVE-2013-3346 + CVE-2013-5065)
? Social engineering to trick the user into running malware installers with ?.SCR? extension, sometimes packed with RAR
? Watering hole attacks using Java exploits (CVE-2012-1723), Adobe Flash exploits (unknown) or Internet Explorer 6, 7, 8 exploits (unknown)
? Watering hole attacks that rely on social engineering to trick the user into running fake ?Flash Player? malware installers
Watering holes are websites commonly visited by potential victims. These websites are compromised in advance by the attackers and injected to serve malicious code.
Depending on the visitor?s IP address (for instance, a government organization?s IP), the attackers serve Java or browser exploits, signed fake Adobe Flash Player software or a fake version of Microsoft Security Essentials. In total, more than 100 websites have been injected.
The choice of the websites reflects specific interest of attackers. For example, many of infected Spanish websites belong to local governments.
Once the user is infected, the Epic backdoor immediately connects to the command-and-control (C&C) server to send a pack with the victim?s system information. The backdoor is also known as ?WorldCupSec?, ?TadjMakhal?, ?Wipbot? or ?Tadvig?.
Once a system is compromised, the attackers receive brief summary information from the victim, and based on that, they deliver pre-configured batch files containing a series of commands for execution.
In addition to these, the attackers upload custom lateral movement tools. These include a specific keylogger tool, a RAR archiver and standard utilities like a DNS query tool from Microsoft.
During the analysis, Kaspersky Lab researchers observed the attackers using the Epic malware to deploy a more sophisticated backdoor known as the ?Cobra/Carbon system?, also named ?Pfinet? by some anti-virus products.
After some time, the attackers went further and used the Epic implant to update the ?Carbon? configuration file with a different set of C&C servers. The unique knowledge to operate these two backdoors indicates a clear and direct connection between each other.
?The configuration updates for the ?Carbon system? malware are interesting, because this is another project from the Turla actor. This indicates that we are dealing with a multi-stage infection that begins with Epic Turla,? said Costin Raiu, director of the global research and analysis team at Kaspersky Lab.
?The Epic Turla is used to gain a foothold and validate the high profile victim. If the victim is interesting, it gets upgraded to the full Turla Carbon system,? Raiu added.
The attackers behind Turla are clearly not native English speakers. They commonly misspell words and expressions, such as:
? Password it?s wrong!
? File is not exists
? File is exists for edit
There are other indications which provide a hint at the origin of the attackers. For instance, some of the backdoors have been compiled on a system with Russian language.
Additionally, the internal name of one of the Epic backdoors is “Zagruzchik.dll”, which means “bootloader” or “load program” in Russian.
Finally, the Epic mothership control panel sets the code page to 1251, which is used for Cyrillic characters. Interestingly, possible connections with different cyber-espionage campaigns have been observed. In February 2014, Kaspersky Lab experts observed that the threat actor known as Miniduke were using the same web-shells to manage infected web servers as the Epic team did.
