Cyber espionage campaign opens backdoor to steal documents from infected PCs
A cyber espionage campaign is targeting the foreign ministry of a country in the European Union with the aid of a previously undocumented form of malware which provides a secret backdoor onto compromised Windows systems.
Uncovered by cybersecurity researchers at ESET, the tools are designed to steal sensitive documents and other files by secretly exfiltrating them via Dropbox accounts controlled by the attackers.
Dubbed Crutch by its developers, this malware campaign has been active from 2015 through to 2020 and researchers have linked it to the Turla hacking group, due to similarities with previously uncovered Turla campaigns such as Gazer. The working hours of the group also coincide with UTC+3, the timezone which Moscow sits in. The UK’s National Cyber Security Centre (NCSC) is among those which has attributed Turla – also known as Waterbug and Venomous Bear – to Russia.
The newly detailed Crutch campaign appears tailored towards very specific targets with the aim of stealing sensitive documents. ESET hasn’t revealed any specifics about the target, aside from that it was a ministry of foreign affairs in an EU country. This targeting fits in with previous Turla campaigns.
However, Crutch isn’t a first-stage payload and is only deployed after cyber attackers have already compromised the target network – something which similar campaigns to this have achieved by using specially crafted spear-phishing attacks.
Once Crutch is installed as a backdoor on the target system it communicates with a hardcoded Dropbox account which it uses to retrieve files while remaining under the radar because Dropbox is able to blend into normal network traffic.
Analysis of the backdoor indicates that it has repeatedly been updated and changed over the years in order to maintain effectiveness while also keeping hidden.
“The main malicious activity is exfiltration of documents and other sensitive files. The sophistication of the attacks and technical details of the discovery further strengthen the perception that the Turla group has considerable resources to operate such a large and diverse arsenal,” said Matthieu Faou, malware researcher at ESET.
However, despite the persistent nature of the attack by what’s regarded as a sophisticated hacking operation, there’s still some relatively simple security measures that organisations can apply to avoid falling victim to this or many other forms of cyber attack.
“During this investigation, we noticed that attackers were able to move laterally and compromise additional machines by reusing admin passwords,” said Fauo.
“I believe that limiting lateral movement possibilities would greatly make the life of attackers harder. It means preventing users being able to run as admin, using two factor authentication on admin accounts and using unique and complex passwords,” he added.
READ MORE ON CYBERSECURITY