On Halloween, US Cyber Command (CYBERCOM) released a chilling surprise for the Russian sponsored APTs, Turla Team and APT28. In an afternoon tweet on Friday, CYBERCOM released samples of an implant dropper used by Turla that they have dubbed ComRATv4, as well as samples of Zebrocy, attributed to APT28, to VirusTotal. The FBI and CISA – who have made the attribution, noted that Turla Team is backed by the government of Russia, and it has used ComRATv4 to target ministries of foreign affairs and national parliaments. In his coverage of the release, Catalin Cimpanu of ZDNet notes that Accenture earlier in the week also released a report concerning Turla and its prevalent use of ComRATv4.
While this advisory and release comes as the United States election approaches on November 3rd, it has not been uncommon for US cyber-security agencies to make announcements on well-known holidays, such as the Valentine’s Day release of malware associated with the DPRK. However, with the history of US-Russa Relations and election interference, forcing Russian government-backed threat actors into a development cycle to retool and avoid detection by security programs would not be an unusual tactic for the US government to take. As of November 2nd, the Zebrocy malware samples were detected by 49 out of 72 anti-virus programs, and the ComRATv4 sample was detected by 20 anti-virus programs. It is important for defenders to not just rely on anti-virus to detect threats, since malware signatures often lag behind the use of the malware, and threat actors can easily change file hashes and patterns. Endpoint Detection and Response (EDR) software that detects patterns of behavior on systems are much more effective at finding threats, provided that they are monitored by skilled analysts who respond when unusual behavior is detected.
An implant dropper dubbed #ComRATv4 recently attributed by @CISAgov and @FBI to Russian sponsored APT, Turla. It was likely used to target ministries of foreign affairs and national parliament.
@CNMF_CyberAlert continues to disclose #malware samples on: https://t.co/fSgk1xpG8t pic.twitter.com/c2jmozTAyB
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) October 29, 2020