The Turla group, also known as Waterbug or Snake, has used new tools for malicious campaigns targeting various government agencies worldwide. This group had already struck various energy-related organizations earlier.

The companies ESET and Symantec both published studies a few days apart about Turla’s new techniques. These studies are in agreement on several matters, with a few unique details in each. ESET’s study focuses more on the technical contents of the tools, while Symantec’s has more to say about how these tools are deployed and what targets were hit.

According to Symantec, there have been three waves of attacks:

  • A campaign targeting Microsoft Exchange servers using a backdoor named Neptun
  • A campaign using the tool Meterpreter as well as two specialized loaders, a backdoor in the form of a dll, and an RPC backdoor
  • A campaign using another RPC backdoor, which uses Powershell code without writing files

Symantec also says that the attackers used the infrastructure of another hacker group known as Crambus. However, this was not a collaboration between them; rather, Turla simply took control of the other organization’s C&C servers. The researchers drew their conclusions from the tools used by Turla and their known techniques to tell the two groups apart. The following image shows some of what happened.

Turla (Waterbug)’s takeover of Crambus’ infrastructure. Credit: Symantec

 

ESET’s analysis gives details about what the third campaign described by Symantec was like. The attackers use two persistence methods for their Powershell tools:

  • Using WMI events. When it is exactly 15:30:40 or the victim system has been booted for 300 to 400 seconds, a Powershell command will read the registry to retrieve the encrypted content of another payload, which is then decrupted and saved in another registry.
  • Using the Powershell profile. This profile is a script launched when Powershell is started. A payload similar to the one used when the WMI event is triggered is added to that profile.

The payloads saved in the registries are PE loaders, which make it possible to bypass the AMSI (Antimalware Scan Interface) protection mechanism via the in-memory patching of the beginning of the function AmsiScanBuffer. This technique had been presented at Black Hat Asia 2018.

The final payloads are the RPC backdoors, which are used to perform lateral movements and take control of other machines on the local network without relying on an external C&C server.

The analyses by Symantec and ESET gives several other details, particularly on how the third campaign’s C&C operated.

Sources:
https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments