“Turla” Group Uses New JavaScript Malware

Turla, also known as Snake / Uroburos / Venomous Bear and KRYPTON is a Russian-speaking APT group that has been active since at least 2007. Its activity can be traced to many high-profile incidents, including the 2008 attack against the US Central Command, more recently, the attack against RUAG, a Swiss military contractor. The Turla group has been known as an agile, very dynamic and innovative APT, leveraging many different families of malware, satellite-based command and control servers and malware for non-Windows OSes.

turla

The document above shows an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign Affairs (MoFA) in Cyprus. Based on the name of the document (National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc, it is presumed it may have been sent from the Qatar Ambassador’s secretary to the MoFA, possibly indicating Turla already had control of at least one system within Qatar’s diplomatic network.

The document contains a malicious macro, very similar to previous macros used by Turla in the past to deliver Wipbot, Skipper, and ICEDCOFFEE. However, the macro did contain a few modifications to it, mainly the XOR routine used to decode the initial JavaScript and the use of a “marker” string to find the embedded payload in the document.

This JS will begin by copying itself to the appropriate folder location based on the version of Windows running:

c:\Users\\AppData\Local\Microsoft\Windows\mailform.js

c:\Users\\AppData\Local\Temp\mailform.js

c:\Documents and Settings\\Application Data\Microsoft\Windows\mailform.js

Next, it will write to the following registry key:

Key: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\mailform
Value: wscript.exe /b “ NPEfpRZ4aqnh1YuGwQd0”

After establishing its persistence, it will then execute a series of commands on the victim system using “cmd.exe /c” and store them to a file named “~dat.tmp”, in the same folder where “mailform.js” is located.

Network Communications

With the victim info stored in encrypted form in memory, the JavaScript then will perform the necessary callback(s) to the C2 servers which are hard coded in the payload. The addresses seen in this payload were as follows:

http://soligro[.]com/wp-includes/pomo/db.php
http://belcollegium[.]org/wp-admin/includes/class-wp-upload-plugins-list-table.php

It should be noted that the above domains appear to have been compromised by the actor based on the locations of the PHP scripts.
It is advised that users disable macros in their enterprise and not allow the user to enable said content unless absolutely necessary. Also scan with Max Total Security everyday and update daily to get latest malware signatures.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>