The Turla threat group, certainly Russian-speaking and widely attributed to Russian intelligence services, is back with a new phishing technique. The threat actor is distributing emails whose payloads, malicious pdf files, install a stealthy backdoor.
The backdoor is a standalone dynamic link library that's able to install itself and interact with Outlook and other email clients. It exfiltrates data through an email exchange, which means that it evades detection by many commonly used data loss prevention products. The data are enclosed in a pdf container, which also looks unproblematic to many security solutions.
As the ESET researchers who've tracked this latest evolution of Turla note, there's no command-and-control server that can be taken down - the malware can be completely controlled via email, the data exfiltration can look entirely legitimate, and the ways in which the campaign modifies standard functions make it a stealthy and tough-to-eradicate infection.
The purpose of this malware is monitor to all incoming and outgoing emails from infected systems and to gather info about the sender, recipient, subject, and attachment name (if any). That data is then organized into logs that are sent to Turla operators.
The Outlook backdoor also checks all incoming email for PDFs that might contain commands from the attackers. It will accept commands from ANY threat actor that is able to encode them in the right format in a PDF document. If the email address to which the malware typically transmits stolen data is blocked, the hacker can recover control of the backdoor simply by sending a rogue PDF with a new C2 address.
This is really a nightmare you don't want to wake up to. Organizations should step their employees through new-school security awareness training which explains that the pdfs they're receiving may not be what they seem. Dark Reading has the story: https://www.darkreading.com/attacks-breaches/turla-threat-group-uses-email-pdf-attachments-to-control-stealthy-backdoor/d/d-id/1332645
Free Phishing Security Test
91% of successful data breaches started with a spear phishing attack
Would your employees click on a phishing mail? We help you train your employees to better manage the urgent IT security problems of social engineering, spear phishing and ransomware attacks. Take the first step now. Find out what percentage of your employees are Phish-prone™ with our free test.
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: