- Oct 23, 2012
- 12,527
The Linux variant for the Turla remote access Trojan (RAT) could have initially targeted machines running Solaris operating system, recent analysis of the malware revealed.
Turla RAT is a component of a cyber-espionage operation discovered by security researchers at Kaspersky, who called it Epic Turla. It has been found that several hundreds of Windows computers in over 45 countries have been infected with this malware.
Finding Solaris machines infected with Turla would not be surprising
At the beginning of the week, though, Kaspersky published the discovery of a Linux variant used by the threat actor behind the Epic Turla campaign, also known as Snake and Uroburos. Their analysis focused on the functionality of the threat.
F-Secure also took a look at the malware sample and reached the conclusion that Linux Turla had an environment set for file execution command that is typical for Solaris operating system, not Linux.
“This raises a question on whether this backdoor was originally targeting Solaris platform. There's nothing in the code and statically-linked libraries that would make this especially difficult to port, so we wouldn't be surprised to find out this malware is also on Solaris boxes in the following days,” Jarkko Salo, business manager at F-Secure says in a blog post.
This came after another interesting finding, the ability to sniff the network interface in search for a particular type of packet that would allow it to configure the command and control server address and activate its functions.
Linux Turla relies on source code of proof-of-concept from 2000
Another interesting aspect relating to the Linux variant of the Turla advanced persistent threat is that it is based on freely available code from cd00r proof-of-concept malware that was designed back in 2000 to demonstrate that backdoor servers can be invisible; this refers to the fact that the port it is listening is not open at all times but only when certain packets are detected in the network traffic.
Important to note is that Kaspersky discovered more than one strain of the malware, suggesting active development and supporting the platform porting theory issued by F-Secure.
Although Solaris operating system, developed by Oracle, can be used on desktops, it is seen employed mostly on servers and large mainframes. It is at version 11 at the moment, and it aims at improving cloud operations by maximizing the resources of a data center and keep it secure at the same time.
Turla has all the hallmarks of an APT and the operation is believed to be still active at the moment. It has been discovered this year, but researchers determined that it started in 2012, with an interest in government entities, intelligence agencies, diplomatic organizations as well as the military, academia and pharmaceutical sectors.
Turla RAT is a component of a cyber-espionage operation discovered by security researchers at Kaspersky, who called it Epic Turla. It has been found that several hundreds of Windows computers in over 45 countries have been infected with this malware.
Finding Solaris machines infected with Turla would not be surprising
At the beginning of the week, though, Kaspersky published the discovery of a Linux variant used by the threat actor behind the Epic Turla campaign, also known as Snake and Uroburos. Their analysis focused on the functionality of the threat.
F-Secure also took a look at the malware sample and reached the conclusion that Linux Turla had an environment set for file execution command that is typical for Solaris operating system, not Linux.
“This raises a question on whether this backdoor was originally targeting Solaris platform. There's nothing in the code and statically-linked libraries that would make this especially difficult to port, so we wouldn't be surprised to find out this malware is also on Solaris boxes in the following days,” Jarkko Salo, business manager at F-Secure says in a blog post.
This came after another interesting finding, the ability to sniff the network interface in search for a particular type of packet that would allow it to configure the command and control server address and activate its functions.
Linux Turla relies on source code of proof-of-concept from 2000
Another interesting aspect relating to the Linux variant of the Turla advanced persistent threat is that it is based on freely available code from cd00r proof-of-concept malware that was designed back in 2000 to demonstrate that backdoor servers can be invisible; this refers to the fact that the port it is listening is not open at all times but only when certain packets are detected in the network traffic.
Important to note is that Kaspersky discovered more than one strain of the malware, suggesting active development and supporting the platform porting theory issued by F-Secure.
Although Solaris operating system, developed by Oracle, can be used on desktops, it is seen employed mostly on servers and large mainframes. It is at version 11 at the moment, and it aims at improving cloud operations by maximizing the resources of a data center and keep it secure at the same time.
Turla has all the hallmarks of an APT and the operation is believed to be still active at the moment. It has been discovered this year, but researchers determined that it started in 2012, with an interest in government entities, intelligence agencies, diplomatic organizations as well as the military, academia and pharmaceutical sectors.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
