Turla: A Master of Deception
July 8, 2024, 10:55 a.m.
Tags
External References
Description
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features, memory patching, and AMSI bypass. The malware establishes communication with its command and control servers and is capable of executing additional PowerShell scripts. The analysis also provides insights into the malware's capabilities, including its anti-detection mechanisms and ability to report information back to its operators.
Date
Published: July 8, 2024, 10:45 a.m.
Created: July 8, 2024, 10:45 a.m.
Modified: July 8, 2024, 10:55 a.m.
Indicators
cac4d4364d20fa343bf681f6544b31995a57d8f69ee606c4675db60be5ae8775
b6abbeab6e000036c6cdffc57c096d796397263e280ea264eba73ac5bab39441
c2618fb013135485f9f9aa27983df3371dfdcb7beecde86d02cee0c258d5ed7f
7091ce97fb5906680c1b09558bafdf9681a81f5f524677b90fd0f7fc0a05bc00
http://files.philbendeck.com/help/
http://files.philbendeck.com/file/
http://files.philbendeck.com/article/
http://files.philbendeck.com/about/
http://files.philbendeck.com/
files.philbendeck.com
Attack Patterns
Uroburos - S0022
Snake
Turla
T1127.001
T1562.002
T1059.001
T1071.001
T1562.001
T1036
T1140
Additional Informations
Philippines