Russia-linked Turla hackers using Adobe Flash update to drop malware, steal data from embassies
The notorious hacking group is targeting embassies and consulates in eastern European post-Soviet states with this attack.
Turla, the notorious Russia-linked cyberespionage group, is targeting embassies and consulates in eastern European post-Soviet states by using a new tool to trick victims into installing malware to steal sensitive information. According to ESET researchers, the group has long targeted government and diplomatic agencies using fake Adobe Flash Player installers in earlier spear phishing campaigns and watering-hole attacks.
The hacking group makes sure the URLs and IP addresses used in their attacks closely correspond to Adobe's legitimate infrastructure to dismiss any suspicions and successfully dupe their victims.
"The victims are made to believe that the only thing that they are downloading is authentic software from adobe.com," ESET researchers said. "Unfortunately, nothing could be further from the truth."
The group has been using this attack technique in campaigns since at least July 2016, the researchers said.
The new tool also shares similarities with other malware families linked to Turla including the use of "Mosquito" - a backdoor believed to have been created by the group.
The researchers are still not entirely sure how the hackers are packaging the malware together with the legitimate Flash Player updates.
"It is safe to rule out a scenario involving some sort of compromise of Adobe," ESET said. "Turla's malware is not known to have tainted any legitimate Flash Player updates, nor is it associated with any known Adobe product vulnerabilities. The possibility involving a compromise of the Adobe Flash Player download website has also been practically discarded."
Some possible attack vectors including a man-in-the-middle attack, compromising the organisation's network gateway to intercept traffic, targeting traffic at the level of internet service providers (ISPs) or using a Border Gateway Protocol (BGP) hijack to reroute traffic to a server controlled by the hackers.
After a victim downloads and runs the fake Flash installer, one of several backdoors is dropped.
"It could be Mosquito, which is a piece of Win32 malware, a malicious JavaScript file communicating with a web app hosted on Google Apps Script, or an unknown file downloaded from a bogus and non-existent Adobe URL," the researchers said.
Sensitive data is then exfiltrated from the infected computer including the machine's unique ID, username and list of security products installed on it. For MacOS, just the username and device name are siphoned by Turla's backdoor Snake.
The fake Flash installer then drops or downloads a legitimate Flash Player applications and runs it on the machine
The researchers have observed new variants of the Mosquito backdoor in the wild that are "more heavily obfuscated with what appears to be a custom crypter", making it more difficult for security experts and security software to detect and analyse.
"In order to establish persistence on the system, the installer tampers with the operating system's registry. It also creates an administrative account that allows remote access," ESET notes.
ESET says the Turla group's latest activities highlight their interest in consulates and embassies located in Eastern Europe and their significant efforts in "keeping their remote access to these important sources of information".