Turla, an infamous advanced persistent threat (APT) group, is using new PowerShell-based tools that provide direct, in-memory loading and execution of malware, executables and libraries. Researchers at ESET detected several attacks against diplomatic entities in Eastern Europe using PowerShell scripts, linking them to the group.
Turla is believed to have been operating since at least 2008 when it successfully breached the U.S. military. It has also been involved in major attacks against many government entities in Europe and the Middle East – among them the German Foreign Office and the French military. The group is also known as Snake or Uroburos.
According to Malwarebytes Labs, Turla uses what is thought to be Russian governmental malware. It has infected Linux and Mac operating systems but is mostly associated with infecting Windows systems.
The PowerShell-based tools can bypass detection techniques that are triggered when a malicious executable is dropped on a disk, which ESET researcher Matthieu Faou believes are being used globally against "other traditional Turla targets."
The PowerShell loaders, detected by ESET under the umbrella name PowerShell/Turla, differ from simple droppers in their ability to persist on the system because they regularly load into memory only the embedded executables. In some samples, Turla developers modified their PowerShell scripts in order to bypass the Antimalware Scan Interface (AMSI). This technique leads to the antimalware product being unable to receive data from the AMSI interface for scanning.
“Along with Turla’s new PowerShell loader, we’ve discovered and analyzed several interesting payloads, including an RPC-based backdoor and a PowerShell backdoor leveraging Microsoft’s cloud storage service, OneDrive, as its command-and-control [C&C] server,” said Faou. “However, these techniques do not prevent the detection of the actual malicious payloads in memory."
One of the payloaders ESET has discovered is a whole set of backdoors relying on the RPC protocol, which are used to perform lateral movement and take control of other machines in the local network without relying on an external C&C server.
“We believe this backdoor is a recovery access tool in case the main Turla backdoors are removed and operators can no longer access the compromised computers,” said Faou.