Turla Cybergroup uses Metasploit in Mosquito campaign

Turla is a well-known cyber spy group that has been active for at least ten years. The first mention of the group is dated 2008 and is related to the burglary of the Department of Defense . Turla subsequently attributed numerous information security incidents - attacks on government and strategic industries, including the defense industry .



In January 2018, we published the first report on the new Turla Mosquito backdoor campaign and infection indicators . The campaign is still active; malefactors changed tactics to avoid detection.

Since March 2018, we have seen significant changes in this campaign - now Turla is using the open source Metasploit framework to spread Mosquito. This is not the first time Turla has abandoned its own tools - we have previously seen the use of utilities to extract credentials (Mimikatz). But here it is noteworthy that for the first time Turla uses Metasploit as a backdoor of the first stage of the attack, instead of its developments, such as Skipper .

Spread

As we mentioned in the previous report , the target device infection vector in the current Turla campaign is a fake installer that loads one of the backdoors of the group along with the legitimate Adobe Flash Player. Priority goals are consulates and embassies of Eastern European countries.

Compromise occurs when a user downloads the flash installer from get.adobe.com via HTTP. Traffic is intercepted between the end device and the Adobe servers, which allows Turla operators to replace the legitimate file with a trojanized version. The figure below shows the points at which it is theoretically possible to intercept traffic. Please note that the fifth scenario - Adobe / Akamai compromise - is excluded. The attackers only used the Adobe brand to trick users.



We did not install a traffic interception point, but we discovered a new executable file that simulates a legitimate Flash installer called flashplayer28_xa_install.exe . Thus, the original way of compromising is still in use.

Analysis

In early March 2018, as part of work on tracking Turla activity, we noticed changes in the Mosquito distribution campaign. Despite the fact that the group does not use any innovative tools, this is a major shift in its tactics, technique and procedures (TTR).

Previously, the compromise chain included a fake Flash installer, resetting the bootloader and the main backdoor (see figure below).



Recently, we have observed that the way the last backdoor has been reset has changed. The campaign still uses the fake Flash installer, but instead of directly dumping two malicious DLLs, it executes the Metasploit shellcode and resets or downloads the legitimate installer from Google Drive. Then the shellcode loads the Meterpreter, a typical Metasploit payload , allowing the attacker access to the compromised system. Finally, a Mosquito backdoor is installed on the workstation. New scheme - in the figure below.



In connection with the use of Metasploit, we can assume that the operator controls the process manually. The duration of the attack is relatively short - the last backdoor is reset within thirty minutes after the start of the compromise attempt.

The shellcode used is typical for Metasploit. It is protected with the shikata_ga_nai encoder with seven iterations. The screenshots below show the encrypted and decrypted payload.





After decryption, the shellcode is associated with the C & C server at 209.239.115 [.] 91 / 6OHEJ, which controls the loading of the additional shellcode. According to ESET telemetry, in the next stage Meterpreter is loaded. This IP address corresponds to the domain psychology-blog.ezua [.] Com, which has been used in the Mosquito campaign since October 2017.

Next, the fake Flash installer downloads Adobe’s legitimate installer from a Google Drive URL and executes it so that the user doesn’t suspect anything.

Additional tools

In addition to the new fake installer and Meterpreter, we noticed that Turla uses additional tools:

• Custom executable file that contains only Metasploit shellcode. Used to maintain access to session meterpreter. Saved to

    C: \ Users \ <username> \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \ msupdateconf.exe 

  that ensures persistence.
• Another custom executable file for running PowerShell scripts.
• Jscript backdoor Mosquito using Google Apps Script as a C & C server.
• Privilege escalation with the Metasploit ext_server_priv.x86.dll module.

findings

The post describes the evolution of the Mosquito Turla campaign over the past few months. The main change is the use of Metasploit, a popular penetration testing framework, as the first stage of the Mosquito custom backdoor.

Indicators of compromise

C & C

• 209.239.115 [.] 91 / 6OHEJ
• 70.32.39 [.] 219 / n2DE3

Link to legitimate flash installer

• drive.google [.] Com / uc? Authuser = 0 & id = 1s4kyrwa7gCH8I5Z1EU1IZ_JaR48A7UeP & export = download