ESET has identified and analyzed new malware used by Turla – the state-sponsored cyberespionage group – to target high-value political organizations in Eastern Europe. This new tool, ESET reveals, attempts to trick victims into installing malware from what appears to be Adobe’s website, with the goal of extracting sensitive information from Turla‘s targets.
While the Turla group has relied on fake Flash installers to dupe users to install one of their backdoors in the past, this is the first time that the malicious program is downloaded from legitimate Adobe URLs and IP addresses. ESETis confident, however, that Turla’s malware has not compromised any legitimate Flash Player updates, nor is it associated with any known Adobe product vulnerabilities.
Analysis of Adobe Flash abuse
Having monitored the Turla group closely for many years, ESET found that this new malware is not only packaged with a legitimate Flash Player installer but also appears to be from adobe.com. From the endpoint’s perspective, the remote IP address belongs to Akamai, the official Content Delivery Network (CDN) used by Adobe to distribute their legitimate Flash installer.
However, on closer inspection, ESET was able to see that the fake Flash installers were performing a GET request to extract sensitive information from the newly compromised systems. ESET telemetry can reveal that Turla installers have been exfiltrating information to get.adobe.com URLs since at least July 2016. Using legitimate domains for data exfiltration makes its detection in network traffic much harder for defenders, which highlights the Turla group‘s desire to remain as stealthy as possible.
“Turla operators have many sophisticated ways of tricking users into downloading seemingly authentic software, and are clever in how they hide their malicious traffic,” said Jean-Ian Boutin, senior malware researcher at ESET. “Even the most experienced users could be fooled into downloading a malicious file that looks as though it is from Adobe.com, since the URL and IP address mimics Adobe’s legitimate infrastructure. As all the downloads we saw were done over HTTP, we advise organizations to forbid the download of executable files over an unencrypted connection. This would significantly reduce the effectiveness of Turla’s attacks, as it is harder to intercept and modify encrypted traffic on the path between a machine and a remote server. Secondly, checking the file signature should confirm whether something suspicious is happening given that these malicious files are not signed and installers from Adobe are. Taking such steps should help users avoid falling victim to Turla’s latest campaign.”
Evidence of Turla involvement
ESET can be certain that this campaign is attributed to the Turla group for a number of reasons. First, some fake Flash installers drop a backdoor referred to as Mosquito, which has already been detected as Turla malware. Second, some of the Command and Control (C&C) servers linked to the dropped backdoors are using SATCOM IP addresses previously associated with Turla. Lastly, this malware shares similarities with other malware families used by the Turla group.