Delaware, USA – August 23, 2018 – Turla APT group created a unique Outlook backdoor and used it to spy on at least two European government foreign offices and one defense contractor. The APT group operates since 2008 using Gazer backdoor in cyberespionage campaigns targeted government and diplomatic bodies in Europe, Asia and South America. Researchers from ESET discovered that Turla’s new tool is capable of running PowerShell scripts and transferring data to adversaries. To ensure persistence on the infected system, it leverages COM object hijacking technique that enables loading of the malicious DLL when a user opens Outlook. The method of obtaining instructions and data exfiltration is of particular interest: Turla’s malware uses the legitimate Messaging Application Programming Interface to gain access to the user’s inboxes and to receive instructions via specially crafted PDFs. To exfiltrate stolen data, the malware creates a PDF document and send it via email to the email address specified by the attackers. Taking control of the user’s inboxes allows deleting backdoor’s “correspondence” almost instantly, so its activity does not cause any suspicion.
Turla’s malware doesn’t depend on any command & control server and it can receive commands from any email; also, this way of obtaining instructions does not create suspicious connections, so it is challenging to cope with this threat. Execution of PowerShell scripts and other malware activity can be uncovered in logs using SIEM with Sysmon Framework and Windows Security Monitor rule packs.