Attacks using The new malicious tool are believed to have begun by July 2016; they shares similarities with other malware families spread by the group including use of Mosquito, a backdoor believed created by Turla, as well as using IP addresses previously linked with the group.
ESET point out that Turla's malware is not known to have tainted any legitimate Flash Player updates, nor is it associated with any known Adobe product vulnerabilities.
Possible attack vectors ESET researchers considered are:
Exfiltration of sensitive data can then begin and will include the unique ID of the compromised machine, the username, and the list of security products installed on the device. ‘Only' the username and device name are exfiltrated by Turla's backdoor Snake on macOS.
Finally, the fake installer drops – or downloads – and then runs a legitimate Flash Player application whose installer is either embedded in its fake counterpart or is downloaded from a Google Drive web address.
ESET researchers report having seen new samples of the Mosquito backdoor in the wild. These recent iterations are reported to be more heavily obfuscated with what appears to be a custom crypter, to make analysis more difficult both for malware researchers and for security software's code.
To establish persistence on the system, the installer tampers with the operating system's registry. It also creates an administrative account that allows remote access.
The main backdoor CommanderDLL has the .pdb extension. It uses a custom encryption algorithm and can execute certain predefined actions. The backdoor keeps track of everything it does on the compromised machine in an encrypted log file. ESET's latest findings about Turla are available in this white paper.
Previous researchers found the group - assuming it is the same group - is mostly active during the standard working day of the UTC +4 time zone suggesting Russian origin.