Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Analyzing the Newest Turla Backdoor

Sept. 27, 2024, 5:47 p.m.

Description

The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using MSBuild. The final payload is a fileless backdoor obfuscated with SmartAssembly. The backdoor implements custom commands for file creation and PowerShell script execution. It communicates with the C2 server using encrypted and encoded data. The analysis reveals sophisticated techniques to avoid detection, including DLL mapping to bypass hooks and patching of ETW and AMSI-related functions.

Date

Published: Sept. 27, 2024, 5:23 p.m.

Created: Sept. 27, 2024, 5:23 p.m.

Modified: Sept. 27, 2024, 5:47 p.m.

Indicators

8d6fe8e336e020410753ff15ece5f36bae992f7f234385a23590a11ed734792d

cac4d4364d20fa343bf681f6544b31995a57d8f69ee606c4675db60be5ae8775

b6abbeab6e000036c6cdffc57c096d796397263e280ea264eba73ac5bab39441

7091ce97fb5906680c1b09558bafdf9681a81f5f524677b90fd0f7fc0a05bc00

files.philbendeck.com

Attack Patterns

Turla

T1562.002

T1070.001

T1132.001

T1036.004

T1573.001

T1497.001

T1059.001

T1572

T1497

T1095

T1132.002

T1071.001

T1562.001

T1204.002

T1082

T1105

T1055

T1140

T1027