Researchers at ESET said they found a previously undocumented backdoor and document stealer – dubbed “Crutch” by its developers – that they can attribute to the notorious Russian hacker group Turla.
In a blog posted earlier today, ESET said Turla used Crutch against several machines of the Ministry of Foreign Affairs in an unspecified European Union country. The Crutch toolset was designed to exfiltrate sensitive documents and other files to DropBox accounts controlled by Turla operators.
ESET reports that Crutch was used from 2015 to at least early 2020. The researchers believe that Turla uses this malware family only against very specific targets, which runs consistent with many of the Turla group’s toolsets.
The researchers said they captured some of the commands sent by the operators to several Crutch v3 instances, which was helpful in understanding the goal of the operation. According to the researchers, the operators were mainly doing reconnaissance, lateral movement and espionage. The main malicious activity was the staging, compression and exfiltration of documents and various files.
When asked the number of documents stolen, an ESET spokeswomen could not specify and just said “many” documents were lifted. She also said the researchers had visibility into the type of file formats (.pdf, .docx, etc.) of the documents stolen and limited visibility into the actual content.
Turla has been active in cyberespionage since 2005. It has compromised many governments, especially diplomatic entities, all around the world, operating a large malware arsenal that ESET has written about over the years. The discovery of Crutch further strengthens the perception that the Turla group has considerable resources to operate such a large and diverse arsenal.
Austin Merritt, cyber threat intelligence analyst at Digital Shadows, said since Turla’s inception in the 2000s, the group has consistently evolved using customized backdoor malware, malware droppers, and remote access tools to achieve intelligence-gathering objectives on government targets such as embassies, ministries, and intelligence agencies.
“Turla’s ‘Crutch’ backdoor is likely being utilized for reconnaissance and surveillance, especially with the group’s known association with elements of the Russian state in espionage campaigns,” Merritt said. “It’s more likely that threat actors will leverage the Crutch backdoor as a second-stage backdoor for data exfiltration rather than an initial access vector.”
Matthew Westfall, senior application security consultant at nVisium, added that today’s research will likely offer clues about previous campaigns. As a practical matter, Westfall said security teams should add these indicators of compromise to any security toolsets (network and host-based IDS, DNS sinkholes) currently in use.
“Threat hunters should also search existing SIEM tooling for evidence of past malicious activity, especially if they are among Turla APT's typical targets,” Westfall said. “Because previous campaigns attributed to Turla operators have had lapses in operational security, there’s the potential for defenders to uncover interesting data.”