Researchers trace 'Epic Turla' infection vector
Ten months after G-Data released its findings on Turla, researchers at Kaspersky Lab and Symantec have detailed a massive cyber-espionage operation.
After spending the last 10 months analyzing a massive cyber espionage campaign, researchers at Kaspersky Lab have discovered that victims of the Turla malware (also known as Uroburos or Snake) are infected through a multistage attack which they say begins with Epic Turla.
Attackers have used Epic Turla to infect hundreds of systems in more than 45 countries, targeting government, military, educational entities, pharmaceuticals, research and embassies.
And the attacks have used at least two zero-day exploits — CVE-2013-5065, a privilege escalation vulnerability found in Windows XP and Windows 2003, and CVE-2013-3346, an arbitrary code execution vulnerability found in Adobe Reader — to generate spearfishing e-mails with Adobe PDF attachments, though, Kurt Baumgartner, principal security specialist with Kaspersky Lab, told SCMagazine.com in an email correspondence that the paucity of spearfishing attempts from this actor was “somewhat surprising.”
While Kaspersky researchers have not uncovered emails used in the attack, they have found PDF attachments.
According to a blog post by Symantec, whose researchers also have been observing the campaign, “some of the spear phishing emails purported to come from a military attaché at a Middle Eastern embassy and had an attachment masquerading as the minutes of meetings.”
When the attachment was opened it “resulted in Trojan.Wipbot being dropped on to the victim's computer,” the blog post said. “It is believed that Wipbot may be the delivery mechanism for Turla as they share several similarities in code and structure.”
Researchers say they observed exploits against patched vulnerabilities as well. And attackers use social engineering techniques and watering hole strategies to carry out their attacks, which are ongoing against targets in the Middle East and Europe, though Baumgartner expects to see more activity in the U.S. since “resourced high end operations like this one will change somewhat and continue on.”
The attackers primarily used the backdoor known as WorldCupSec (aka as TadjMakhal, Wipbot and Tavdig) to get into victims' systems during the Epic Turla phase.
Germany-based G-Data SecurityLabs originally published its findings on Uroburos last February but there was no information available at that time on the infection vector.
Kaspersky's analysis, though, indicates that infection occurs in three stages, starting with Epic Turla. After the attackers gain confidence, they move to the second stage, ramping up attacks by using more sophisticated backdoors, such as Carbon/Cobra. When the backdoors are used in concert, one can “rescue” the other if it loses communications, according to a Kaspersky Lab blog post.
Once attackers are able to obtain a victim's credentials undetected, they deploy the rootkit of the “high-grade” Snake/Uroburos malware and use extreme persistence mechanisms.
"Any way you look at it, it was very difficult to fully track down and collect a big picture for an operation like this for a number of reasons,” Baumgartner said. "This operation is truly multi-stage and stealth. Not only are the targets high value and possibly classified targets making them unlikely to publicly report their incidents, but these attackers carefully pre-screen victims and evaluate target systems before pushing even their first line exploit code.”
Explaining that the attackers “pay attention to detail,” Baumgartner noted that “sometimes the first backdoor pushed to a system will not maintain any persistence mechanism, making the code more difficult to assess for security solutions.”
The attackers also “cleaned up their tracks per stage of their operations.” They frequently “custom built and deployed scarce components per target. The website infrastructure itself was carefully selected and built to best maintain stealth,” he said.
Over time, Baumgartner expects the campaign will evolve. “The operators may modify their server side attack toolset somewhat, and definitely they will re-code their exploit set,” he said, noting attackers “currently heavily develop and push a changing toolset, so they have resources to continue changing their backdoors and rootkits.”
To protect themselves, organizations must rely on more than just AV since “the actor is known to use 0-day and a dynamic toolset,” Baumgartner said.
He suggested that companies actively scan inbound and outbound network traffic “for traces of Epic activity,” keep systems updated, and segment resources “to make a significant impact in delaying this attacker.”