Attacks using The new malicious tool are believed to have begun by July 2016; they shares similarities with other malware families spread by the group including use of Mosquito, a backdoor believed created by Turla, as well as using IP addresses previously linked with the group.
ESET point out that Turla's malware is not known to have tainted any legitimate Flash Player updates, nor is it associated with any known Adobe product vulnerabilities.
Possible attack vectors ESET researchers considered are:
- A machine within the network of the victim's organization could be hijacked so that it acts as a spring board for a local Man-in-the-Middle (MitM) attack.
- The attackers could compromise the network gateway of an organization, enabling them to intercept all the incoming and outgoing traffic between that organization's intranet and the internet.
- The traffic interception could also occur at the level of internet service providers (ISPs), a tactic seen in recent ESET research into surveillance campaigns deploying FinFisher spyware.
- The attackers could have used a Border Gateway Protocol (BGP) hijack to re-route the traffic to a server controlled by Turla, although ESET notes that this tactic would probably quickly set off alarm bells with Adobe or BGP monitoring services.
Exfiltration of sensitive data can then begin and will include the unique ID of the compromised machine, the username, and the list of security products installed on the device. ‘Only' the username and device name are exfiltrated by Turla's backdoor Snake on macOS.
Finally, the fake installer drops – or downloads – and then runs a legitimate Flash Player application whose installer is either embedded in its fake counterpart or is downloaded from a Google Drive web address.
ESET researchers report having seen new samples of the Mosquito backdoor in the wild. These recent iterations are reported to be more heavily obfuscated with what appears to be a custom crypter, to make analysis more difficult both for malware researchers and for security software's code.
To establish persistence on the system, the installer tampers with the operating system's registry. It also creates an administrative account that allows remote access.
The main backdoor CommanderDLL has the .pdb extension. It uses a custom encryption algorithm and can execute certain predefined actions. The backdoor keeps track of everything it does on the compromised machine in an encrypted log file. ESET's latest findings about Turla are available in this white paper.
Previous researchers found the group - assuming it is the same group - is mostly active during the standard working day of the UTC +4 time zone suggesting Russian origin.