Experts are warning of new tools in the assortment of the Turla cybercrime group. By using a pre-crafted set of PowerShell commands, attackers are able to inject malware directly into operational memory, increasing the effectiveness of their actions and making the attack harder to detect.
Beware of fake emails from police officers
Cyber security experts have already repeatedly warned of the threat from the Turla group, which specializes in attacks against diplomatic missions and political organizations. So far, the intruders’ arsenal has primarily included sophisticated proprietary tools, such as the LightNeuron malware, which allowed it to intercept and modify any message passing through a mail server. Now it turns out that Turla criminals have expanded their “assortment” with malicious PowerShell scripts. They use the built-in Windows command interpreter to inject malicious code straight into the computer’s operational memory. This method has been used against several diplomatic missions in Eastern Europe, but it is possible that the list of targets is much longer.
Detection of attacks is becoming increasingly difficult
New tools from the Turla group use PowerShell scripts to inject malicious code directly into the operating memory of the victim’s system. This method allows intruders to bypass those antivirus programs that only scan the hard drive for threats. This significantly increases the chances of the attack’s success, as the detection of such malicious activity will only occur at the operating memory scanning stage, which is when the script is already active and has the potential to cause damage. What distinguishes the technique used by the Turla group from other malware of this type (known as droppers) is its ability to successfully persist in the system by regularly injecting infected code.
Among the described tools, two are particularly noteworthy. The first one is a set of trojans that use RPC protocol responsible for communication between workstations and the server. It allows to effectively take control over other devices without the need to communicate with an external control server. The second one is PowerStallion backdoor, which uses OneDrive service as a makeshift control server.
– We suspect that PowerStallion was developed with emergency situations in mind and was intended to be used to get into victims’ computers only after the main backdoors used by the group would have been detected and blocked,” explains Kamil Sadkowski, senior threat analyst at ESET.
Hackers improve their arsenal
– The new findings regarding malicious PowerShell scripts prove one thing – the arsenal used by the Turla group is constantly evolving, and cybercriminals are ready to use all available tools in their attacks. This is an important lesson for IT security experts and administrators who want to stay one step ahead of the intruders – comments Kamil Sadkowski from ESET.