Analyzing the Newest Turla Backdoor
Sept. 27, 2024, 5:47 p.m.
Tags
External References
Description
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using MSBuild. The final payload is a fileless backdoor obfuscated with SmartAssembly. The backdoor implements custom commands for file creation and PowerShell script execution. It communicates with the C2 server using encrypted and encoded data. The analysis reveals sophisticated techniques to avoid detection, including DLL mapping to bypass hooks and patching of ETW and AMSI-related functions.
Date
Published: Sept. 27, 2024, 5:23 p.m.
Created: Sept. 27, 2024, 5:23 p.m.
Modified: Sept. 27, 2024, 5:47 p.m.
Indicators
8d6fe8e336e020410753ff15ece5f36bae992f7f234385a23590a11ed734792d
cac4d4364d20fa343bf681f6544b31995a57d8f69ee606c4675db60be5ae8775
b6abbeab6e000036c6cdffc57c096d796397263e280ea264eba73ac5bab39441
7091ce97fb5906680c1b09558bafdf9681a81f5f524677b90fd0f7fc0a05bc00
files.philbendeck.com
Attack Patterns
Turla
T1562.002
T1070.001
T1132.001
T1036.004
T1573.001
T1497.001
T1059.001
T1572
T1497
T1095
T1132.002
T1071.001
T1562.001
T1204.002
T1082
T1105
T1055
T1140
T1027