A cyberespionage group Turla (aka G0010, Snake, Venomous Bear, Group 88, Waterbug, Turla Team, Krypton, Uroburos, SIG23, WhiteBear), which is believed to have ties to Russia, is using new PowerShell-based tools that provide direct, in-memory loading and execution of malware, executables and libraries. This allows the group to bypass detection techniques that are triggered when a malicious executable is dropped on a disk.
Turla has been active since at least 2008 and is known for its complex malware and involvement in major attacks against military-related and government entities in Europe and the Middle East, including the German Foreign Office and the French military. Recently, the researchers at ESET detected a new wave of attacks aimed at diplomatic entities in Eastern Europe using PowerShell scripts to load a wide range of custom malware from Turla’s traditional arsenal.
The PowerShell loaders differ from simple loaders in their ability to persist on the system by loading into memory only the embedded executable or library. The PowerShell loader uses both a Windows Management Instrumentation (WMI) event subscription and alters the PowerShell profile (profile.ps1 file) to maintain persistence on an infected system.
The attackers create two WMI event filters and two WMI event consumers. The consumers are simply command lines that launch PowerShell commands that load a large PowerShell script stored in the Windows registry. When it comes to decrypting payloads stored in the registry, the 3DES algorithm is used. The payload is a PowerShell reflective loader based on the script Invoke-ReflectivePEInjection.ps1 from the same PowerSploit framework. The executable is then loaded in the memory of the random process that is already running on the system.
In some samples Turla’s PowerShell script has been modified to bypass Antimalware Scan Interface (AMSI), the tool that allows the integration of any Windows app with the installed antivirus software. According to ESET, the group didn’t create its own bypass method but instead made use of a technique presented at Black Hat Asia 2018.
Among the payloads recently used by Turla, two stand out. One is a whole set of backdoors relying on the RPC protocol that are used to perform lateral movement and take control of other machines in the local network without relying on an external C&C server. Another interesting payload is PowerStallion, a lightweight PowerShell backdoor that leverages Microsoft cloud storage service, OneDrive, as a Command & Control server.
“We believe this backdoor is a recovery access tool in case the main Turla backdoors are removed and operators can no longer access the compromised computers,” said ESET’s Matthieu Faou.
While above-mentioned PowerShell scripts were detected in attacks on the European diplomatic entities the researchers believe that these tools are likely being deployed more globally against traditional Turla targets in Western Europe and the Middle East.