Turla Using a New Backdoor in Watering Hole Attack - Binary Defense

Threat Watch

Share on facebook
Share on twitter
Share on linkedin

Turla Using a New Backdoor in Watering Hole Attack

Turla: Researchers from ESET have discovered a new watering hole attack being carried out by Turla targeting several high-profile Armenian websites. Turla is a well-known Russian espionage group that has been tracked for over ten years; researchers stated that several aspects of their research led to the attribution. Similar to previous campaigns by Turla, this campaign’s targets included government and military organizations. Some of the JavaScript used in the watering hole attack was very similar to the ones that have been used by Turla in the past. Four Armenian websites were found to be compromised since 2019. By using unknown access methods, the group managed to infect users when they visited one of the websites by a second stage malicious JavaScript code which fingerprints the victim’s browser. If the script detects this is the victim’s first visit to the page, it will inject an evercookie into the browser to track if the victim visits one of the websites for a second or third time. The script collects information about the user’s machine and if they are deemed interesting another script will load a fake Adobe Flash update page in an iframe. If the install is prompted, Adobe Flash will install on the victim’s computer as well as the malware. Before August 2019, Turla’s backdoor known as skipper would be downloaded with Adobe Flash, but since September 2019, the server has delivered NetFlash and PyFlash.

ANALYST NOTES

Turla has been known to use watering hole attacks targeting government officials. In this case, once the website was compromised, the rest of the attack was accomplished through basic social engineering. Pop-ups that claim Adobe Flash player is out of date are often used to deliver malware. If anyone thinks that their software is out of date, they should visit the website for the software to download updates. More research can be found here: https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/

Contact Support

Please complete the form below and a member of our support team will respond as quickly as possible.