The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group...
Transcript of The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group...
![Page 1: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/1.jpg)
The Snake keeps reinventing itselfBotconf 2018
Matthieu Faou | Malware Researcher
Jean-Ian Boutin | Senior Malware Researcher
![Page 2: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/2.jpg)
Matthieu FaouMalware Researcher | ESET Montreal
@matthieu_faou
![Page 3: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/3.jpg)
Agenda
1. Introduction
2. Getting in and keeping access
3. Outlook backdoor
4. Turla TTPs: 2018 update
3
![Page 4: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/4.jpg)
Introduction
![Page 5: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/5.jpg)
5
![Page 6: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/6.jpg)
6
![Page 7: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/7.jpg)
7
![Page 8: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/8.jpg)
BIS 2017 Report (CZ intelligence agency)
8
![Page 9: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/9.jpg)
Turla in short
•One of the oldest espionage group
•Targets includes governments, government officials, diplomats, …
•Very large toolset targeting all major platforms
9
![Page 10: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/10.jpg)
Getting in and keeping access
![Page 11: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/11.jpg)
Infection Vector
![Page 12: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/12.jpg)
Mosquito
![Page 13: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/13.jpg)
Diplomatsin
Eastern Europe
13
![Page 14: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/14.jpg)
July 2016
14
![Page 15: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/15.jpg)
Fake flash installer
Downloaded from http://admdownload.adobe.com *
* We believe Adobe was not compromised
15
![Page 16: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/16.jpg)
http://admdownload.adobe.com/bin[...]
Legitimate Akamai/Adobe IP address
Fake Flash Installer Download executable
16
![Page 17: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/17.jpg)
And it contacts adobe.com again
![Page 18: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/18.jpg)
During the installation…
http://get.adobe.com/stats/AbfFcBebD/q=<base64-encoded data>
18
![Page 19: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/19.jpg)
Information exfiltrated to get.adobe.com over HTTP
19
![Page 20: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/20.jpg)
Something weird is happening on the network
![Page 21: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/21.jpg)
Possible interception points
21
![Page 22: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/22.jpg)
WiFi Credentials Export
22
![Page 23: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/23.jpg)
Likeliest scenario
•We believe with medium confidence that MitMat the ISP level is done• Patient zero
• Victims all within reach of same set of ISPs
•Multiple reinfections
23
![Page 24: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/24.jpg)
Lateral Movement
![Page 25: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/25.jpg)
Proprietary tools
•Network sniffing• dwiw.exe –idx 1 –ip XXX –port 21,25,110,143,22,80,389
–save_h sniff.log
•Watched ports• TCP SSH
• SMTP HTTP
• POP3 LDAP
• IMAP4
25
![Page 26: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/26.jpg)
Proprietary
•cliproxy• Command line reverse shell
•Operators can connect directly to compromised system
• Special commands availableCommand Info
!b send ctrl+c to cmd.exe
!c send file content to server
!f modify max error count value
!r restart process
!s send status: Version: %s\\n\\tInterval: %u\\n\\tId: \\n\\tVerbose : %u\\n\\tMax error count: %u\\n\\t Timeout: %u\\n\\t
26
![Page 27: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/27.jpg)
Proprietary
•Keylogger• Classic keylogger -
SetWindowsHookExW
•No network capability
• Logs encrypted with XOR key
• Classic Turla: strings built on stack
27
![Page 28: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/28.jpg)
Proprietary
•Keylogger• Classic keylogger -
SetWindowsHookExW
•No network capability
• Logs encrypted with XOR key
• Classic Turla: strings built on stack
28
![Page 29: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/29.jpg)
Open source
•Quarks PwDump
•Dumps various types of Windows credentials• Local account
• Domain account
• Cached domain credentials
• bitlocker
29
![Page 30: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/30.jpg)
Open source
•Mimikatz – needs no introduction
•LaZagne• “Recover” passwords from *many* applications:
browsers, chats,
databases, Wifi,
git, SVN, etc
30
![Page 31: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/31.jpg)
Public tools
•And of course, Nirsoft•WebBrowserPassView
•Mail PassView
•MessenPass
31
![Page 32: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/32.jpg)
Cleaning
![Page 33: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/33.jpg)
Gazer
•Second stage backdoor
•Logs/Tasks cleaning
•Standalone cleaner
33
![Page 34: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/34.jpg)
Undocumented backdoor
•After they knew they were detected, cleaned everything• Registry keys, files, etc
•They rather delete everything than having their most recent malware analyzed
34
![Page 35: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/35.jpg)
Getting Back
![Page 36: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/36.jpg)
Example - Mosquito
•HelpAssistant user creation• Remote Assistance session
•Collects wifi credentials during installation• netsh wlan export profile key=clear
folder="%APPDATA%"
36
![Page 37: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/37.jpg)
Outlook Backdoor
![Page 38: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/38.jpg)
The group Snake is said to have attacked the German government network.
38
![Page 39: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/39.jpg)
Hackers have been able to copy data from the government networks via the Outlook mail program.
39
![Page 40: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/40.jpg)
We need to look deeper
40
![Page 41: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/41.jpg)
Targets
•Ministry of Foreign Affairs
•Defense contractors
•?
41
![Page 42: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/42.jpg)
Timeline
Oldest compilation timestamp
2009
42
![Page 43: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/43.jpg)
Timeline
Oldest compilation timestamp
2009
43
![Page 44: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/44.jpg)
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
2009
2010
44
![Page 45: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/45.jpg)
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
2009
2010
45
![Page 46: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/46.jpg)
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
Execute commands
sent by emails (XML)
2009
2010
2013
46
![Page 47: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/47.jpg)
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
Execute commands
sent by emails (XML)
2009
2010
2013
47
![Page 48: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/48.jpg)
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
Execute commands
sent by emails (XML)
2009
2010 2016 (?)
2013
Commands are hidden in PDF documents sent
to the victims
48
![Page 49: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/49.jpg)
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
Execute commands
sent by emails (XML)
Public announcement of the German incident
2009
2010
Mar. 2018
2016 (?)
2013
Commands are hidden in PDF documents sent
to the victims
49
![Page 50: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/50.jpg)
Timeline
Oldest compilation timestamp
First sample uploaded on
VirusTotal
Execute commands
sent by emails (XML)
Public announcement of the German incident
Our report goes public
2009
2010
Mar. 2018
2016 (?)
2013
Commands are hidden in PDF documents sent
to the victims
Aug. 2018
50
![Page 51: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/51.jpg)
Installation
•COM object hijacking•Quite old technique
• ComRAT & Mosquito• https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Larimer
-VB2011.pdf
• https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence
•Outlook Protocol Manager.
51
![Page 52: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/52.jpg)
HKCR = HKCU + HKLM
52
![Page 53: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/53.jpg)
53
![Page 54: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/54.jpg)
54
![Page 55: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/55.jpg)
55
![Page 56: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/56.jpg)
56
![Page 57: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/57.jpg)
MAPI
•Messaging Application Programming Interface
•COM-based API
•Allows software to be email-aware
•Replace olmapi32.dll57
![Page 58: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/58.jpg)
58
![Page 59: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/59.jpg)
59
![Page 60: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/60.jpg)
60
![Page 61: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/61.jpg)
Outgoing emails
•All outgoing emails are forwarded to the attacker’s email address
•Can be disabled by changing a config value in the registry
61
![Page 62: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/62.jpg)
62
![Page 63: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/63.jpg)
63
![Page 64: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/64.jpg)
64
![Page 65: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/65.jpg)
65
![Page 66: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/66.jpg)
Outgoing emails
• Information is exfiltrated at the same time the victim sends an email• Prevent sending emails at unusual hours
•Data is encrypted and stored in a PDF attached to the email
66
![Page 67: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/67.jpg)
67
![Page 68: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/68.jpg)
68
![Page 69: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/69.jpg)
69
![Page 70: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/70.jpg)
Operator email addresses
70
![Page 71: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/71.jpg)
Operator email addresses
• In recent campaigns, we have seen them using gmx.com
•Pattern seems firstname.lastname@[free webmail]
•Sometimes, they impersonate the victim
71
![Page 72: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/72.jpg)
72
![Page 73: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/73.jpg)
Incoming emails
•All incoming email metadata is logged (subject, sender, etc.)
•Checks if the attachment is a PDF and contains a command
73
![Page 74: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/74.jpg)
74
![Page 75: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/75.jpg)
Hiding UI artefacts
•Delete all backdoor-related messages• Sent
• Received
• If it contains the operator email address
•Hooks
75
![Page 76: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/76.jpg)
Hiding UI artefacts
76
![Page 77: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/77.jpg)
Hiding UI artefacts
77
![Page 78: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/78.jpg)
Hiding UI artefacts
78
![Page 79: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/79.jpg)
Hiding UI artefacts
79
![Page 80: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/80.jpg)
Backdoor
•Fully-controlled by email• Commands are contained in PDF attachments
•Old versions: XML in the email body
•Operator agnostic• Even if the email address is took down, a command can
be sent from any other email address
80
![Page 81: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/81.jpg)
Backdoor | PDF format
•Really complex – a pain to reverse• Probably just to make analysis more time consuming
•Valid PDF document
•Data appended after a JPG
81
![Page 82: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/82.jpg)
82
![Page 83: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/83.jpg)
83
![Page 84: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/84.jpg)
Backdoor | FunctionsID Commands
0x10 Not implemented
0x11 Display a MessageBox
0x12 Sleep
0x20 Delete file
0x21 Get file
0x22 Set operator email address
0x23 Put file
0x24 Run shell command
0x25 Create process
0x26 Delete directory
0x27 Create directory
0x28 Change timeout
0x29 Run PowerShell command (PSInject - 2018)
0x2A Set answer mode (2018)
84
![Page 85: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/85.jpg)
85
![Page 86: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/86.jpg)
Turla Encryption History
•Carbon and Snake: CAST-128
•Gazer: Custom RSA implementation
•Mosquito: BlumBlumShub
•Uroboros: Threefish
86
![Page 87: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/87.jpg)
Backdoor | Encryption
•All significant values were changed
• Identification of the main characteristics• Symmetric
• 128-bit key
• Two hardcoded tables
• 64-bits block
• 8 rounds
87
![Page 88: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/88.jpg)
Changes to MISTY1
•The 128–bit key is generated from two hardcoded 1024–bit keys plus a 2048–bit Initialization Vector.
•They shuffled s7 and s9
•They added XOR operations in FI
88
![Page 89: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/89.jpg)
Demo
![Page 90: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/90.jpg)
Mitigations
![Page 91: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/91.jpg)
91
![Page 92: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/92.jpg)
WDSC standard settings
92
![Page 93: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/93.jpg)
93
![Page 94: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/94.jpg)
94
![Page 95: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/95.jpg)
95
![Page 96: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/96.jpg)
96
![Page 97: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/97.jpg)
Do not allow child processes
97
![Page 98: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/98.jpg)
Do not allow child processes
98
![Page 99: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/99.jpg)
Code Integrity Guard
99
![Page 100: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/100.jpg)
Code Integrity Guard
100
![Page 101: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/101.jpg)
Code Integrity Guard
101
![Page 102: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/102.jpg)
Code Integrity Guard
102
![Page 103: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/103.jpg)
On the mail server side
•Blocking emails based on PDF format: controlled by the attackers
•Monitoring duplicate sending of emails• High FP rate?
• Attacker’s address looks like private victim’s address
103
![Page 104: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/104.jpg)
•Comprehensive WhitePaperreleased in August 2018
• https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf
• https://github.com/eset/malware-ioc/tree/master/turla#turla-outlook-indicators-of-compromise
104
![Page 105: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/105.jpg)
Turla TTPs: 2018 update
![Page 106: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/106.jpg)
Mosquito
•New URL: http://admdownload.adobe.com/bin/live/flashplayer30pp_ja_install.exe
•Legitimate Flash downloaded from GDrive
•Generally, it doesn’t drop the win32 backdoor
106
![Page 107: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/107.jpg)
Mosquito PowerShell reflective loader
107
![Page 108: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/108.jpg)
Carbon
•2nd stage backdoor with advanced capabilities
•New version (Orchestrator v3.82/Communication module v4.08) released in March
•Still use compromised WordPress as C&C
108
![Page 109: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/109.jpg)
A shift toward more generic tools
•Turla’s reputation comes from its outstanding custom tools
•The shift started in March 2018 for Mosquito
•Metasploit shellcode + meterpreter
109
![Page 110: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/110.jpg)
Links with other APT groups
•Kaspersky Labs discovered a PowerShell code shared between Turla and Zebrocy• https://securelist.com/shedding-skin-turlas-fresh-
faces/88069/
•False flag? Same external developer?
110
![Page 111: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/111.jpg)
Conclusion
•Turla is not your casual and lazy attacker
•They conduct long-term spying operation
•The toolset evolves with a trend towards more generic tools
111
![Page 112: The Snake keeps reinventing itself - Botconf 2020Turla in short •One of the oldest espionage group •Targets includes governments, government officials, diplomats, … •Very large](https://reader035.fdocuments.in/reader035/viewer/2022070820/5f1d39ae4095a91f8652c9c4/html5/thumbnails/112.jpg)
www.eset.com | www.welivesecurity.com
Matthieu FaouMalware Researcher
@matthieu_faou
Questions?