U.S. Markets closed

Russian-speaking APTs Turla and Sofacy share malware delivery, and overlap targets in Australia

MELBOURNE, Australia, Oct. 11, 2018 /PRNewswire/ -- Kaspersky Lab Global Research & Analysis Team (GReAT) monitoring the various clusters of the long standing, Russian-speaking threat actor, Turla (also known as Snake or Uroburos) discovered a recent evolution of its KopiLuwak malware is delivered to victims using code nearly identical to that used just a month earlier by the Zebrocy operation, a subset of Sofacy (also known as Fancy Bear and APT28), another long standing Russia-speaking threat actor. Researchers also found target overlap between the two threat actors, centered on geopolitical hotspots in central Asia and sensitive government and military entities.

Noushin Shabab, Senior Security Researcher, Kaspersky Lab ANZ

KopiLuwak was first discovered in November 2016, delivering documents containing malware and with macros enabled that dropped new, obfuscated Javascript malware designed for system and network reconnaissance. Evolution of KopiLuwak was recently observed in mid-2018. Researchers noticed new targets in Syria and Afghanistan. Turla used a new spear-phishing delivery vector with Windows shortcut (.LNK) files. Analysis showed that the LNK file contained PowerShell to decode and drop the KopiLuwak payload.

Further evidence supported the hypothesis that Wi-Fi networks were abused by Turla to deliver Mosquito malware to victims, a practice that may be tapering off. They also found further modification of the powerful Carbon cyberespionage framework, which has traditionally been installed very selectively on victims of particular interest, and expect to see further code modifications and selective deployment of this malware into 2019. The 2018 targets for the Turla malware clusters include the Australia, parts of Europe, Asia, the Americas and more.

"Turla is one of the oldest known threat actors, renowned for constantly trying new approaches. It is worth noting that while other Russia-speaking threat actors like CozyDuke (APT29) and Sofacy were targeting organisations in the west, Turla was quietly deploying its operations towards the east. In Australia alone, Turla falls into an Unnamed Cluster 2. Our research suggests Turla's code development and implementation is ongoing. We strongly urge organisations that believe they could be a target to take precaution," said Noushin Shabab, Security Researcher at Kaspersky Lab ANZ.

Kaspersky Lab recommend organisations use a proven corporate grade security solution in combination with anti-targeted attack technologies and threat intelligence, like Kaspersky Threat Management and Defense solution which are capable of identifying and catching advanced targeted attacks by analysing network anomalies.

For further details of 2018 Turla activity, read Securelist.

Erin Victor

Photo - https://photos.prnasia.com/prnh/20181010/2263454-1