Researchers uncover an innocent software update that’s really a cover for espionage
iSpeech
A state-sponsored hacking operation is targeting diplomats, using a new attack that bundles malware with a legitimate software update.
Uncovered by researchers at ESET, the attacks are targeting embassies and consulates in eastern European post-Soviet states and have been attributed to Turla, a well-known advanced persistent threat group.
The hacking operation has a history of targeting government and diplomatic bodies using watering-hole attacks and spear-phishing campaigns, which often involve the use of false Flash downloads, to infiltrate victim's systems. Researchers note that some private companies have been infected, but that they're not the main targets of the campaign.
Campaigns using this attack technique have been operational since July 2016, but security researchers are still unsure as to how the attackers are bundling their payload alongside a Flash player installer. "The victims are made to believe that the only thing that they are downloading is authentic software... unfortunately, nothing could be further from the truth," ESET said.
Possible attack vectors include a man-in-the middle attack, the target organisation having their network gateway compromised, traffic interception at the level of internet service providers, or the attackers could have used a Border Gateway Protocol (BGP) hijack to re-route the traffic to a server controlled by Turla -- although the latter would quickly set off alarm bells.
What is known is that the Turla group relies on a web app hosted on Google Apps Script as a command-and-control server for JavaScript-based malware. It's something researchers say demonstrates how the attackers are attempting to remain as stealthy as possible by hiding in the network traffic of targeted organisations.
Once a user runs the software, the attackers are able to open backdoors and drop malware onto the compromised machine. One form of malware that the attackers attempt to drop is Mosquito, a backdoor associated with previous Turla campaigns and likely to be custom-built by the hacking outfit.
It's this use of Mosquito -- which shares similarities with other Turla associated malware -- combined with how some of the command and control servers linked to the attack have been used in previous Turla campaigns that has led ESET to say "with confidence" that this campaign is being conducted by the notorious hacking group.
Researchers also add that some of the victims have been infected with other Turla-related malware such as ComRAT or Gazer, suggesting there's a strong link between the campaigns, which all have a strong interest in consults and embassies in Eastern Europe and are noted to have "put a lot of effort into keeping their remote access to these important sources of information".
Gloss