Analyzing the Newest Turla Backdoor

Sept. 27, 2024, 5:47 p.m.

Description

The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using MSBuild. The final payload is a fileless backdoor obfuscated with SmartAssembly. The backdoor implements custom commands for file creation and PowerShell script execution. It communicates with the C2 server using encrypted and encoded data. The analysis reveals sophisticated techniques to avoid detection, including DLL mapping to bypass hooks and patching of ETW and AMSI-related functions.

External References

https://hybrid-analysis.blogspot.com/2024/09/analyzing-newest-turla-backdoor-through.html
https://otx.alienvault.com/pulse/66f6ea1e8b5bc32e86467042
Tags
backdoor
apt
2024-09-27

Date

  • Created: Sept. 27, 2024, 5:23 p.m.
  • Published: Sept. 27, 2024, 5:23 p.m.
  • Modified: Sept. 27, 2024, 5:47 p.m.

Indicators

  • 8d6fe8e336e020410753ff15ece5f36bae992f7f234385a23590a11ed734792d
  • cac4d4364d20fa343bf681f6544b31995a57d8f69ee606c4675db60be5ae8775
  • b6abbeab6e000036c6cdffc57c096d796397263e280ea264eba73ac5bab39441
  • 7091ce97fb5906680c1b09558bafdf9681a81f5f524677b90fd0f7fc0a05bc00
  • files.philbendeck.com
Download all indicators here!

Attack Patterns

  • Turla
  • T1562.002
  • T1070.001
  • T1132.001
  • T1036.004
  • T1573.001
  • T1497.001
  • T1059.001
  • T1572
  • T1497
  • T1095
  • T1132.002
  • T1071.001
  • T1562.001
  • T1204.002
  • T1082
  • T1105
  • T1055
  • T1140
  • T1027