Turla APT Uses NetFlash Dropper and PyFlash Backdoor in Watering Hole Attacks

Delaware, USA – March 12, 2020 – Russian state-sponsored cyberespionage group compromised several high-profile Armenian websites to deliver their new Python-based backdoor named PyFlash. ESET researchers discovered a watering hole operation that relies on a fake Adobe Flash update lure and delivers two new tools. Adversaries inserted a piece of malicious JavaScript code into the compromised websites to load from the external source script which fingerprints the visitor’s browser. “Then, it collects several pieces of information including the browser plugin list, the screen resolution and various operating system information. This is sent to the C&C server in a POST request. If there is a reply, it is assumed to be JavaScript code and is executed using the eval function,” researchers said. “If the visitor is deemed interesting, the server replies with a piece of JavaScript code that creates an iframe. Data from ESET telemetry suggests that, for this campaign, only a very limited number of visitors were considered interesting by Turla’s operators.”

Targeted victims see a fake suggestion to update Adobe Flash Player, and if they agreed, a legitimate copy of Flash and NetFlash malware downloader would be installed on their systems. NetFlash downloads PyFlash backdoor from a hard-coded URL and leverages Windows scheduled task to achieve persistence. Turla APT started using PyFlash instead of Skipper since September 2019. The backdoor is capable of collecting system information and sending it to command-and-control servers, downloading files, executing commands, and uninstalling the backdoor. Turla APT is known for its sophisticated tools and unexpected moves during attacks. You can explore techniques used by the group in the MITRE ATT&CK section: https://tdm.socprime.com/att-ck/