silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,154
Turla, an infamous advanced persistent threat (APT) group, is using new PowerShell-based tools that provide direct, in-memory loading and execution of malware, executables and libraries. Researchers at ESET detected several attacks against diplomatic entities in Eastern Europe using PowerShell scripts, linking them to the group.
Turla is believed to have been operating since at least 2008 when it successfully breached the U.S. military. It has also been involved in major attacks against many government entities in Europe and the Middle East – among them the German Foreign Office and the French military. The group is also known as Snake or Uroburos.
The PowerShell-based tools can bypass detection techniques that are triggered when a malicious executable is dropped on a disk, which ESET researcher Matthieu Faou believes are being used globally against "other traditional Turla targets."
The PowerShell loaders, detected by ESET under the umbrella name PowerShell/Turla, differ from simple droppers in their ability to persist on the system because they regularly load into memory only the embedded executables. In some samples, Turla developers modified their PowerShell scripts in order to bypass the Antimalware Scan Interface (AMSI). This technique leads to the antimalware product being unable to receive data from the AMSI interface for scanning.
“Along with Turla’s new PowerShell loader, we’ve discovered and analyzed several interesting payloads, including an RPC-based backdoor and a PowerShell backdoor leveraging Microsoft’s cloud storage service, OneDrive, as its command-and-control [C&C] server,” said Faou. “However, these techniques do not prevent the detection of the actual malicious payloads in memory."