2017-08-31

Russian Turla Group Attacks at Governments and Diplomats

Definition

Russian Advanced Persistence Threat group called “Turla” has been using special espionage attacks against Governmental agencies and Embassies for past year. The backdoor software has been recently detected and “Gazer or Whitebear.” It is very clandestine malware trying to be as unnoticeable and undetectable as possible. The backdoor software collects information from the target and sends it to the controller.

Brief description of scenario

Gazer is distributed via spearphishing email that infects the target with first stage backdoor such as “Skipper.” Skipper downloads Gazer as the primary payload. Gazer uses 3DES and RSA encryption and stores its configuration within the Windows Registry. Gazer wipes files, changes code strings and looks like a video game to remain secret.

Mitigation

The following are some security measures recommended to lower the probability of Gazer type attack: 

  • Security architecture should include several layers to create depth for cyber defence
  • The security operations should be able to monitor 24/7 the traffic flow from and to defended domain
  • There should be more than one layer of virus detection using different detection applications
  • End users should be trained for awareness against phishing attempts



References


  1. https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
  2. https://threatpost.com/turla-apt-used-whitebear-espionage-tools-against-defense-industry-embassies/127737/
  3. https://www.scmagazine.com/turla-apt-group-linked-to-gazer-backdoor-that-spies-on-embassies/article/685230/
  4. http://securityaffairs.co/wordpress/55915/apt/turla-javascript-malware.html
  5. https://www.cyberscoop.com/kaspersky-whitebear-turla-russia/

No comments:

Post a Comment