The Turla cyberespionage group has implemented some new tactics over the last few months incorporating some open-source exploitation tools instead of relying solely on their own creations to run campaigns.
ESET researchers found that starting in March the Turla has been leveraging the open-source framework Metasploit to drop the group’s proprietary Mosquito backdoor. The group has periodically used open-source hacking tools for other tasks, but ESET believes the group has never before used Metasploit as a first stage backdoor.
The reason ESET singled out this change is it believes the information could be useful for those performing incident response on attacks involving Turla
The group has not altered its targets, mainly Eastern European embassies, nor its attack methodology, using a compromised Flash installer to drop the malware along with the real Flash Player.
The general order the attack follows is the fake Flash installer is accessed by the victim. However, unlike in the past when two malicious DLLs were dropped by Turla, a Metasploit shellcode is executed and then a real version of Flash Player is downloaded from a Google Drive. The final stage has the shellcode download a Meterpreter which gives the malicious actor the ability to control the device and then the Mosquito back door is put in place.
Recently, we observed a change in the way in which the final backdoor is dropped. Turla’s campaign still relies on a fake Flash installer but, instead of directly dropping the two malicious DLLs, it executes a Metasploit shellcode and drops, or downloads from Google Drive, a legitimate Flash installer. Then, the shellcode downloads a Meterpreter, which is a typical Metasploit payload , allowing the attacker to control the compromised machine. Finally, the machine may receive the typical Mosquito backdoor. The figure below summarizes the new process.
“Because Metasploit is being used, we might also guess that an operator controls the exploitation process manually. The time frame of the attack was relatively short as the final backdoor was dropped within thirty minutes of the start of the compromise attempt,” the report said.