Home > Article > Operation and Maintenance > How Turla uses watering hole attacks to plant backdoors
Turla compromised at least four Armenian websites, including two government websites. Therefore, targets may include government officials and politicians. The following website was compromised:
armconsul [.] ru: Consular Section of the Embassy of Armenia in Russia
mnp.nkr [.] am: Ministry of Nature Conservation and Natural Resources of the Republic of Artsakh
aiisa [.] am: Armenian Institute of International and Security Affairs
adgf [.] am: Armenian Deposit Guarantee Fund
These sites have been active since at least the beginning of 2019 was invaded. Turla uses illegal access to insert malicious JavaScript code into websites. For example, for mnp.nkr[.]am, the obfuscated code is appended to the end of jquery-migrate.min.js (a common JavaScript library), as shown in Figure 1:
Change the code Additional JavaScript scripts will be downloaded from 'skategirlchina[.]com/wp-includes/data_from_db_top.php.' Since November 2019, it was discovered that the website is no longer distributing malicious scripts, and the Turla group appears to have suspended their activities.
After visiting the infected webpage, skategirlchina[.]com will implant the second stage of malicious JavaScript and add a fingerprint to the visitor's browser. Figure 2 shows the main functionality of this script.
If this is the first time the user's browser executes the script, it will add an evercookie with a random MD5 value provided by the server that will be different each time the script is executed. evercookie is implemented based on GitHub code. It uses multiple storage locations (such as local database, Flash cookies, Silverlight storage, etc.) to store cookie values. It is more persistent than a regular cookie and will not be deleted if the user simply deletes the browser's cookie.
The evercookie will be used to identify if the user visits the infected website again. When the user visits for the second time, the previously stored MD5 value can be used to identify the second visit behavior.
It will collect browser plug-in list, screen resolution and various operating system information, and send it to the C&C server by POST. If there is a reply, it is considered to be JavaScript code and executed using the eval function.
#If the attacker is interested in infecting the target, the server will reply with a JavaScript code. In this campaign Turla is only interested in a very limited number of visits to the website. Users are then shown a fake Adobe Flash update warning, as shown in Figure 3, designed to trick them into downloading a malicious Flash installer.
No exploit techniques for browser vulnerabilities were observed, and the campaign relied solely on social engineering techniques. If the user manually launches the executable, the Turla malware and the legitimate Adobe Flash program are installed. Figure 4 shows the delivery of the malicious payload from the initial visit to the infected Armenian website.
Once the user executes the fake installer, it will execute both the Turla malware and the legitimate Adobe Flash installer. Therefore, users may believe that update warnings are legitimate.
Before August 2019, victims will receive a RAR-SFX containing a legitimate Adobe Flash v14 installer and another RAR-SFX. The latter contains various components of the backdoor. The latest version was recorded by Telsy in May 2019.
The remote JavaScript and malicious file server used by the Skipper communication module is the C&C server, Skategirlchina [.com/wp-includes/ms-locale.php.
A new malicious payload was discovered at the end of August. The new malicious payload is a .NET program that deletes Adobe Flash v32 in %TEMP%\adobe.exe Installer, removed NetFlash (.NET Downloader) in %TEMP%\winhost.exe. According to the compilation timestamps, the malicious samples were compiled at the end of August 2019 and early September 2019.
NetFlash is responsible for downloading its second-stage malware from hardcoded URLs and using Windows scheduled tasks to establish persistence. Figure 5 shows the NetFlash functionality, downloading the second-stage malware called PyFlash. Another NetFlash sample was also discovered, compiled at the end of August 2019, with a different hardcoded C&C server: 134.209.222[.]206:15363.
The second stage backdoor is the py2exe executable file. py2exe is a Python extension for converting Python scripts into Windows executables. This is the first time Turla developers have used the Python language for a backdoor.
The backdoor communicates with a hard-coded C&C server via HTTP. The C&C URL is specified at the beginning of the script along with other parameters used to encrypt network communications (such as the AES key and IV), as shown in Figure 6.
The main function of this script (shown in Figure 7) is to send machine information to the C&C server, and also includes OS-related commands (systeminfo, tasklist) and network-related commands (ipconfig, getmac, arp ) the output result.
The C&C server can also send backdoor commands in JSON format. The commands are:
1. Download other files from the given HTTP(S) link.
2. Use the Python function subprocess32.Popen to execute Windows commands.
3. Modify Windows tasks to start malware regularly (every X minutes; default is 5 minutes).
4. Kill (uninstall) the malware. To confirm this instruction, the malware sends a POST request to the C&C server using the following string:
Turla will still use watering hole attacks as one of its initial intrusion target strategies. This campaign relies on social engineering techniques and uses fake Adobe Flash update warnings to trick users into downloading and installing malware. On the other hand, the payload has changed, possibly to evade detection, and the malicious payload is NetFlash and installs a backdoor called PyFlash, which was developed using the Python language.
website
http://www.armconsul[.]ru/user/themes/ayeps/dist/js/bundle.0eb0f2cb2808b4b35a94.js
http://mnp.nkr[.]am/wp-includes/js/jquery/jquery-migrate.min.js
http://aiisa[.]am/js /chatem/js_rA9bo8_O3Pnw_5wJXExNhtkUMdfBYCifTJctEJ8C_Mg.js
adgf[.]am
C&C servers
http://skategirlchina[.]com/wp-includes /data_from_db_top.php
http://skategirlchina[.]com/wp-includes/ms-locale.php
http://37.59.60[.]199/2018/. config/adobe
http://134.209.222[.]206:15363
http://85.222.235[.]156:8000
Sample
MITRE ATT&CK techniques
##
The above is the detailed content of How Turla uses watering hole attacks to plant backdoors. For more information, please follow other related articles on the PHP Chinese website!