Shulou(Shulou.com)05/31 Report--

This article is about what the Turla organization is referring to. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Overview of Turla Organization

Turla, also known as Snake,Uroburos,Waterbug,WhiteBear. Kaspersky, Symantec and ESET continued to track and analyze the organization after it was disclosed by GData in 2014. According to the compilation time of malicious files used by the organization, it can be traced back to 2011 at the earliest. By comparing the code and functions, it can be traced back to 2006 to detect that a malicious file named Agent.BTZ was associated with the organization. So it can be speculated that the group began to attack as early as 2006.

Turla organization uses rootkit technology to monitor the computer and complete the function of data theft. This method is very useful in earlier versions of Windows systems, and can be effectively hidden in the computer with higher permissions. Starting from Windows vista, Microsoft has strengthened its control over the loading process of third-party drivers, requiring a certificate and user consent before it can be installed normally. So Turla organizations instead use more complex intrusion processes and implant remote control software without rootkit kits to collect information, but this increases the chances of being detected.

Turla targets government agencies, embassies, military institutions, educational institutions, research institutions and pharmaceutical companies. It was initially disclosed after an attack on US intelligence. In recent years, the group has attacked the servers of the German Ministry of Foreign Affairs and French military-related companies, stealing a large amount of intelligence information.

After analyzing the malware used by the Turla organization, the following information is summarized:

1. The debug information output by an attacker when writing malware is in English, but not in his mother tongue.

2. The attacker's infrastructure comes from Russia.

3. The default language used by the attacker is Russian.

4. Similar traces also appeared in Agent.BTZ.

Therefore, it is defined as a threat attack organization originating from Russia.

Turla organization invasion method

Turla's method of tearing apart defenses is done through harpoon attacks and puddle attacks using social engineering methods.

2.1 Social Engineering attack

In the attack that was initially discovered, the attacker used a vulnerable PDF file and delivered it via email. Through social engineering, users are induced to click to execute the PDF file and send it to colleagues or people in a higher position. At the same time, there is also a malware installer with the ".SCR" extension in the attachment, which releases the RAR file and opens the built-in normal PDF file during installation.

PDF file with normal figure

A similar attack modus operandi was also analyzed in detail in the articles related to the epidemic attack released by the Shadow Laboratory in April.

2.2 puddle attack

Between 2010 and 2016, the organization used browsers to attack, including puddle attacks and 0day vulnerabilities. The attacker implants the malicious JavaScript script identified in the following figure into the attacking website and executes the JavaScript script when the user visits the compromised website.

After collation, we have obtained all the websites that have been attacked and their names:

The above sites were used as puddle attack sites in 14-17 years. These sites are embedded in JavaScript code and executed when users visit, and most of their functions are to obtain browser plug-in list, screen resolution and other information. At the same time, Turla will actively select the users they are interested in and send malicious files, and the most important form is to use fake Adobe Flash installation packages to install the backdoor.

The characteristic attack method of Turla is to use Adobe for attack decoy, and this result is also related to the direction of capture. After a considerable number of government websites are built, they seldom update quickly and iteratively and use more advanced architecture. Adobe Flash, a plug-in with a large number of vulnerabilities, has been deeply integrated in these sites. As a result, Adobe Flash-related attacks are never absent when capturing related threats.

2.3 MITM traffic hijacking and modification

When attacking, Turla hijacks the Adobe network through MITM (man in the middle attack), which enables users to replace their downloads when they request to download the latest software update package, download malicious software without the user's senses, and complete the control of the target host. However, this approach requires access to core routing, and even hijacking key nodes of the enterprise / government.

However, the attack process observed on the user side is very simple. For example, the user visits the following link, which belongs to Adobe company and is a subdomain of Adobe, http://admdownload.adobe.com/ bin/live/flashplayer27_xa_install.exe, through which the malicious file of Turla is downloaded, but the referer field in the http header of the request is changed to:

The address of http://get.adobe.com/flashplayer/download/?installer=Flash_Player, is the same as the domain name that normally downloads Adobe, but the protocol is different. According to the analysis, this is the referer information inserted in order to bypass the Adobe detection mechanism, so that the admdownload.adobe.com can be accessed normally.

Turla attack Technology combs ATT&CK Matrix

A brief Analysis of RAT commonly used in Turla Organization

After hacking into the internal network, the Turla organization will screen targets, select targets that are interested in and have high-value information, and release malware on infected devices. Since 2011, Turla has been found to have developed corresponding malware for Windows, Linux and MacOS platforms and continued to steal confidential information.

4.1Phase I backdoor-The Epic

The backdoor will detect and process the environment and determine whether it can be executed by identifying some network monitoring tools, including: tcpdump.exe, windump.exe, ethereal.exe, wireshark.exe, dsniff.exe. In the communication with C2, the HTTP protocol is used to obtain the instructions issued by C2 by parsing the contents of the something format.

The backdoor marks the victim with ID, sends a packet with computer information to C2 when communicating for the first time, and uses an encryption algorithm to encrypt the content, but the attacker also transmits the key in this way, so the traffic can be decrypted and analyzed.

When the Turla organization determines that the target is worthy of further attack based on the return information, the attacker will deploy the second phase of the backdoor on the target device. The first phase of the backdoor can be understood as an attack probe organized by Turla, which can effectively avoid downloading Uroburos to unrelated devices and reduce the risk of exposure.

4.2 second stage back door-Uroburos

Uroburos is one of the most famous backdoors, a rootkit backdoor extracted from a compromised device when Turla was first discovered. When using this backdoor, attackers are also using an encrypted virtual file system to ensure that their attacks are secret and efficient.

Uroburos ensures that it can continue to reside in the system by creating services. The following key information can be found in the registry:

HKLM\ System\ CurrentControlSet\ Services\ Ultra3

The main functions of Uroburos are as follows:

L key function hook

L decrypt virtual file system

L inject Ring3 layer

L ClearC communication

L packet fetching

Inline hook

Uroburos uses Inline hook to modify key functions, such as:

For the ZwQueryKey (), ZwEnumerateKey (), ZwCreateKey (), and ZwSaveKey () functions hook, the purpose is to hide the persistent keys added to the registry.

Hook the ZwReadFile () function to hide its own file.

The ZwQuerySystemInformation () function hook is used to hide the driver object.

The ZwTerminateProcess () function hook is used to clean up the environment when you stop working and avoid problems such as blue screens.

Hook the ObOpenObjectByName () function to hide the virtual file system.

Partial hook function list

Decryption file system

Uroburos provides two virtual file systems, NTFS and FAT32, to adapt to different devices. Through this virtual file system, attackers can store stolen data, hacker tools or run log information that needs to be output in the system, and through the hook of kernel functions, it also prevents the killed software from finding the virtual file system, thus improving the concealment, at the same time, because it will not occupy the system disk. The perception on the user side is almost zero.

The virtual file system is encrypted by CAST-128, and the key is hard-coded in the driver file, which is decrypted when the driver is mounted. After decryption, the .bat script is stored in the file system. The script discovers the intranet machine by using the net command to obtain the basic information of the machine in the local area network for horizontal movement.

There is also a queue file in the file system, and each queue file contains a uid, type, timestamp, and payload, which also includes a key for decryption. According to the analysis of other files captured by GDATA, configuration files, files and other information may also be included.

Packet crawling

Uroburos supports capturing traffic, modifying and intercepting data packets. It can handle HTTP,ICMP,SMTP protocol traffic, and the information transmitted at the application layer can be obtained through named pipes.

At the same time, the attacker reserves the interface to add new protocols and new methods to deal with traffic, and the attacker achieves the purpose of continuous attack by updating the files contained in the virtual file system.

Cobb C communication

Uroburos provides tcp, enc, np, reliable, frag, udp, M2D, doms, T2m and domc communication modes. You can see in the code that np,reliable,frag,enc,m2b,m2d communicates through NamedPipe. Tcp,udp constructs packets in the driver layer for communication.

4.3 second stage back door-Carbon

The attacker will judge the value of the target at the beginning of the intrusion, and after arousing the attacker's interest, the attacker will implant the Carbon backdoor into the device. Carbon is a modular tool that implements the corresponding function by replacing different plug-ins.

In the initial capture of the Carbon sample, the plug-in module is placed in the resource section, of which the most important module is a module called carbon_system.dll, which has two export functions, ModuleStart and ModuleStop. In the ModuleStart function, multiple mutexes are created to distinguish between different module units, and a log file is created in the System\\ directory to record the debug information generated during execution.

Carbon_system.dll, as the main functional module, creates windows named pipes for communication between other modules, receives the information obtained by other functional modules, and writes it into a file, waiting for upload. Carbon_system.dll obtains disk information through GetDiskFreeSpaceExA, which is used to monitor disk usage. When the disk is full, it will write "help information" to the log file to be uploaded to notify the attacker.

Carbon_system.dll calls other modules through LoadLibrary, and calls the start function to start, recording the startup time, module name and other information in the log.

The process information running on the current device is also collected, the process changes are monitored, and the process information is recorded in the log file, and again, pipes are still used for data transfer.

Carbon reads the specific task information from the configuration file when performing the task:

Task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath | [execution_mode | username | password]

Each task has its own independent id number, which specifies how and how to run through additional parameters.

Carbon_system.dll, like a control terminal, is a systematic attack suite, which can add or delete modules at will, and only need to provide the corresponding export function to call. Moreover, carbon_system.dll determines whether the command was executed successfully by monitoring the log information generated by different modules, which hides the activities of the attacker to a certain extent.

At the same time, Turla also provides a 64-bit version of carbon_system.dll files to adapt to the x64 environment. In the 64-bit version, Turla does not delete the PDB information, and you can see that its project name is cobra.

F:\ Workshop\ Projects\ cobra\ carbon_system\ x64\ Release\ carbon_system.pdb

However, the PDB information was not found in the x86 version. After the compilation was completed, the attacker did not operate on the x64 version and packaged it directly into the loader file of carbon_system.

4.4 second stage backdoor-other versions of Carbon

The difference between carbon v3.51 and the original version mentioned in Section 4.3 lies in the communication part. V3.51 interacts with C2 through http requests and randomly populates domain names such as www.yahoo.com,www.bbc.com,www.google.com to hide its own traffic. Some of the downloaded and obtained information is stored in the\ IdeDrive1\ Results\\ result.txt file. The\. IdeDrive1\ directory mentioned here is a directory in the virtual file system.

In this version, attackers delete the monitoring of disk files, no longer report the storage of infected devices, and reduce the amount of information and data per transmission. The acquisition of running processes is concentrated on tcpdump.exe, windump.exe, windump.exe, wireshark.exe, wireshark.exe, snoop.exe. When such a process is found, a log is logged and sent back:

Some debug information can be found in the v3.61 carbon module. Unlike the previous version, this debug information is stored in a malicious file of x86 architecture and has not been cleaned up:

4.5 second stage back door-Mosquito

The loader part of the backdoor will first self-decrypt to get the code. The decrypted code finds the address of the function to be called by calculating the function name hash. These two functions are not encrypted and stored, and their codes can be seen directly through tools such as IDA. The self-decryption function is sub_5711E0, and the calculated hash function is sub_570E10. After completing the import of the function, read the data from its own file and decrypt it. The decryption function is sub_56D480. After decryption, there are two PE files, which are written to disk.

The log contents are written to the file% APPDATA%\ Roaming\ kb6867.bin.

The released file contains the main backdoor program, which is loaded by loader and is exported by modifying the EAT table to modify the original export table.

The replaced function first decrypts the encrypted library file name and function name, and obtains the function address by dynamic loading, then creates a named pipe named\\.\ pipe\ ms32loc, and then creates a thread, waiting for other processes to connect. The backdoor writes some basic configuration information by setting a registry key. The registry path is as follows: HKCU\ Software\ Microsoft\ [dllname]. Enter the following information:

4.6 second stage back door-Javascript back door

The first JavaScript is used to replace the Mosquito backdoor and is installed with a fake Adobe Flash Player installation package.

Get the returned data and execute it with base64 decoding.

The second JavaScript file reads% programdata%\ 1.txt and executes its contents using the eval function. Add local_update_check to HKLM\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run to boot.

4.7 second stage back door-KopiLuwak

This backdoor is spread through the document and attacked by macros. In the macro code, debugging can find that the initial code decrypts the data through the xor algorithm, the decrypted data is written into the mailform.js file, and the release file is stored in the% APPDATA%\ Microsoft\ Windows path:

Execute the mailform.js file, passing in the parameter NPEfpRZ4aqnh2YuGwQd0, which is the ringing * key, which is responsible for decrypting the built-in data. After decoding, it is still a JavaScript file, which is the KopiLuwak backdoor.

Move your own files to different folders depending on the version of the system:

C:\ Users\\ AppData\ Local\ Microsoft\ Windows\ mailform.js

C:\ Users\\ AppData\ Local\ Temp\ mailform.js

C:\ Documents and Settings\\ Application Data\ Microsoft\ Windows\ mailform.js

Complete the persistent residence by setting the registry HKEY_CURRENT_USER\ software\ microsoft\ windows\ ccurrentversion\ run\, with the key value wscript.exe mailform.js "NPEfpRZ4aqnh2YuGwQd0".

Execute the following command through cmd.exe, and write the result to the ~ dat.tmp file in the same directory as mailform.js, and encrypt the result with the key "2f532d6baec3d0ec7b1f98aed4774843", and delete the original file after encryption:

Systeminfo

Net view

Net view / domain

Tasklist / v

Gpresult / z

Netstat-nao

Ipconfig / all

Arp-a

Net share

Net use

Net user

Net user administrator

Net user / domain

Net user administrator / domain

Set

Dir systemdrive%Users*.*

Dir userprofile%AppDataRoamingMicrosoftWindowsRecent*.*

Dir userprofile%Desktop*.*

Tasklist / fi "modules eq wow64.dll"

Tasklist / fi "modules ne wow64.dll"

Dir "programfiles (x86)"

Dir "programfiles%"

Dir appdata%

The backdoor has two built-in addresses: http://soligro.com/wp-includes/pomo/db.php, http://belcollegium.org/wp-admin/includes/class-wp-upload-plugins-list-table.php, which is used for communication, and can be inferred from the path that the second website used WordPress and was exploited by an attacker for C2 hosting.

The aforementioned encrypted data is sent to either of the two websites using the POST method. In addition to using "Mozilla/5.0 (Windows NT 6.1; Win64; x64); fill in the User-Agent field, a UID generated by the current computer name is added at the end, where zIRF represents the string" KRMLT0G3PHdYjnEm "and Vxiu represents the current computer user name:

After receiving the data, C2 will reply to four instructions:

When the work instruction is received, all the collected information is sent back to C2, and when the fail instruction is received, the data in the registry HKEY_CURRENT_USER\ software\ microsoft\ windows\ ccurrentversion\ run\ is cleaned.

Summary

Turla is one of the organizations that use the most sophisticated attack tools in the APT gang, and its targets include the foreign ministries of European countries, the armed forces, the intelligence departments of Europe, the Americas and other countries. In the early attack activities, the organization used self-developed weapons to attack the outside world, and the characteristics were more obvious. In recent years, the organization has turned to large-scale use of open source platforms, such as MSF, cobalt strike and other backdoors, intrusion attacks, horizontal movement tools, etc., to hide its actions in a large number of attacks, in order to obtain more intelligence information and delay the time of detection and detection.

At the same time, the organization is good at using puddle websites to infiltrate targets, which is not easy to detect for a long time, so the defense of the organization should focus on web access records and check government and basic websites that forge domain names to reduce the risk of attack.

Thank you for reading! This is the end of the article on "what the Turla Organization refers to". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.