Delaware, USA – May 31, 2019 – Turla APT attacks diplomats in Eastern Europe using new PowerShell loaders. ESET analyzed the detected malware samples and published a report on a new series of attacks. In their cyber espionage campaigns, the group uses custom sophisticated malware such as the newly discovered LightNeuron backdoor for Microsoft Exchange servers. In this case, Turla started using PowerShell scripts that allow direct, in-memory loading and execution of malware executables and libraries for the first time, while the adversaries started experiments with PowerShell last year.
Now to load an array of malware, they use scripts that are able to persist on the system as they regularly load into memory only the embedded executables. The loader uses a Windows Management Instrumentation event subscription and changes the profile.ps1 file to gain persistence on an attacked system. Malware executable is hardcoded in the script and is loaded directly into the memory of a random non-antivirus process that is already running on the system. The loader bypasses the Antimalware Scan Interface and can patch the AmsiScanBuffer process preventing AV solutions from performing malware scans. In this campaign, The group spreads various RPC backdoors and PowerStallion backdoor which uses legitimate cloud storages as C&C server.
ESET researchers suggest that Turla APT can use PowerShell loaders in attacks targeted Western European and the Middle East countries. You can spot suspicious execution of PowerShell scripts using the Sysmon Framework for ArcSight: https://my.socprime.com/en/integrations/sysmon-framework-arcsight
Also, you can explore other tactics and tools of the group in Threat Detection Marketplace and download content to detect them: https://tdm.socprime.com/att-ck/