Turla, a hacking group that has been active for over ten years and one of the largest known state-sponsored cyberespionage groups, is showing a shift in its behaviour from using its own creations to leveraging the open source exploitation framework Metasploit before dropping the custom Mosquito backdoor.
While this is not the first time Turla is using generic tools, researchers at ESET say that this is the first time the group has used Metasploit, which is an open-source penetration testing project, as a first stage backdoor.
“In the past, we have seen the group using open-source password dumpers such as Mimikatz,” ESET Research said in a blog post. “However, to our knowledge, this is the first time Turla has used Metasploit as a first stage backdoor, instead of relying on one of its own tools such as Skipper.”
The typical targets of the attacks remain to be embassies and consulates in Eastern Europe and the group is still using a fake Flash installer to install both the Turla backdoor and the legitimate Adobe Flash Player.
According to the researchers, the compromise occurs when the user downloads a Flash installer from get.adobe.com through HTTP, allowing Turla operators to replace the legitimate Flash executable with a trojanized version by intercepting traffic on a node between the end machine and the Adobe servers.
“We believe the fifth possibility to be excluded, as, to the best of our knowledge, Adobe/Akamai was not compromised,” the post went on to say, assuring that the Adobe website does not seem to have been compromised.
Researchers found, at the beginning of March 2018, that there were some changes in the Mosquito campaign. Where previously, the attack was carried out by dropping a loader and the main backdoor using a fake Flash installer, there is now a change in the way the final backdoor is dropped.
“Turla’s campaign still relies on a fake Flash installer but, instead of directly dropping the two malicious DLLs, it executes a Metasploit shellcode and drops, or downloads from Google Drive, a legitimate Flash installer,” the post read.
The shellcode then downloads a Meterpreter, which gives the attacker the control of the compromised machine, and finally places the final Mosquito backdoor.
Once the attack is executed, the fake Flash installer downloads a legitimate Flash installer from a Google Drive URL and runs it to deceive the user into thinking that the installation went smoothly.
Researchers also say that because of the use of Metasploit, it can be assumed that there is an operator controlling the exploitation manually. More information on Turla can be found in ESET’s whitepaper as well as their recent report on Turla’s change in attacks.
