The cyber-espionage group Turla has a new addition to its malware arsenal - a backdoor and document stealer named ‘Crutch.’ The previously undocumented toolset was discovered by the Slovak cybersecurity firm ESET on the network of a Ministry of Foreign Affairs in a country of the European Union.
Turla (aka Belugasturgeon, KRYPTON, Snake, Venomous Bear, and Waterbug), which has been active for more than ten years, is largely known for its attacks against governments, especially diplomatic entities, all around the world.
The Crutch backdoor appears to have been in use since 2015, until at least early 2020. During the research, ESET discovered links between a Crutch dropper from 2016 and Gazer (WhiteBear), a second-stage backdoor used by the APT in 2016-2017.
The researchers also noticed the presence of the FatDuke backdoor previously attributed to the Dukes (APT29) cyber-espionage group and the Crutch toolset at the same time on one machine. However, ESET did not find any evidence of interaction between these two malware families suggesting that both groups could have independently breached the same machine.
In the observed attacks Turla leveraged the Crutch malware against several systems of the Ministry of Foreign Affairs in a country of the European Union. These tools were designed to exfiltrate sensitive documents and other files to the attacker-controlled Dropbox accounts. The goal of the operation was reconnaissance, lateral movement and espionage, ESET said.
The researchers believe that Crutch is deployed following the initial compromise of the victim’s network using first-stage implants such as Skipper and PowerShell Empire.
From 2015 to mid-2019, the malware architecture included a backdoor communicating with Dropbox using the official HTTP API and a drive monitor without network capabilities. The Crutch v3 can execute basic commands such as reading and writing files or executing additional processes. It persists via DLL hijacking on Chrome, Firefox or OneDrive. Some Crutch variants were observed to come with recovery C&C channels using either GitHub or a regular domain.
Crutch v4, which appeared in July 2019, is different in that that it no longer supports backdoor commands, although it can automatically upload the files found on local and removable drives to Dropbox storage by using the Windows version of the Wget utility.
“Crutch shows that the group is not short of new or currently undocumented backdoors. This discovery further strengthens the perception that the Turla group has considerable resources to operate such a large and diverse arsenal,” ESET said. “Crutch is able to bypass some security layers by abusing legitimate infrastructure – here Dropbox – in order to blend into normal network traffic while exfiltrating stolen documents and receiving commands from its operators.”