Epic Turla – catching the reptile’s tail

Kaspersky Lab released results of a 10-months long analysis of Epic Turla APT campaign, which is still active. One of the most sophisticated cyber-espionage campaigns, it attacked victims in 45 countries.

Over the last 10 months Kaspersky Lab researchers have been monitoring and analyzing a massive cyber-espionage which we designated as “Epic Turla”. So far the attackers behind it have infected several hundred computers in more than 45 countries, including those in government institutions, embassies, military, education, research and pharmaceutical companies. While the military and governmental entities are a common target for cyberspies, it does look like cybercriminals these days have some very special interest in the pharmaceutical sector. Recently reported MiniDuke and Crouching Yeti/Energetic Bear campaigns are also tracking players in that sector.


But, back to Turla. It’s been known for some time, however, the biggest question remaining was its infection vector. Now, our analysis indicates that victims are infected via a sophisticated multi-stage attack, which begins with the Epic Turla. In time, as the attackers gain confidence, this is upgraded to more complex backdoors, such as the Carbon/Cobra system. Sometimes, both backdoors are run in tandem, and used to “rescue” each other if communications are lost with one of the backdoors.

Once the attackers obtain the necessary credentials without the victim noticing, they deploy the rootkit and other extreme persistence mechanisms. In other words, Epic Turla comes to stay.

The attacks are known to have used at least two zero-day exploits:

  • CVE-2013-5065 – privilege escalation vulnerability in Windows XP and Windows Server 2003
  • CVE-2013-3346 – Arbitrary code-executing vulnerability in Adobe Reader

Yet another proof that a) Windows XP and Windows Server 2003 are still widely used; b) they are attackers’ favorites, too.


Then there is yet another vulnerability in Adobe Reader, not exactly the most recent one, but still largely unpatched, apparently, despite the extreme danger it poses. Whenever an unsuspecting user opens a maliciously-crafted PDF file on a vulnerable system, the machine will automatically get infected, allowing the attacker to gain immediate and full control over the target system.

The attackers use both direct spear-phishing e-mails and watering hole attacks to infect victims. The attacks detected in this operation fall into several different categories depending on the initial infection vector used in compromising the victim:

  •    Spear-phishing e-mails with Adobe PDF exploits
  •    Social engineering to trick the user into running malware installers with “.SCR” extension, sometimes packed with RAR
  •    Watering hole attacks using Java exploits (CVE-2012-1723), Adobe Flash exploits (unknown) or Internet Explorer 6, 7, 8 exploits (unknown)
  •    Watering hole attacks that rely on social engineering to trick the user into running fake “Flash Player” malware installers

Watering holes are websites commonly visited by potential victims. These websites are compromised in advance by the attackers and injected to serve malicious code. Depending on the visitor’s IP address (for instance, a government organization’s IP), the attackers serve Java or browser exploits, signed fake Adobe Flash Player software or a fake version of Microsoft Security Essentials. In total, we have observed more than 100 injected websites. The choice of the websites reflects specific interest of attackers. For example, many of infected Spanish websites belong to local governments.

Once the user is infected this or that way, the Epic backdoor (also known as “WorldCupSec”, “TadjMakhal”, “Wipbot” or “Tadvig”) immediately connects to the command-and-control (C&C) server to send a pack with the victim’s system information. Based on that, attackers deliver pre-configured batch files containing a series of commands for execution. In addition to these, the attackers upload custom lateral movement tools. These include a specific keylogger tool, a RAR archiver and standard utilities like a DNS query tool from Microsoft.

During the analysis, Kaspersky Lab researchers observed the attackers using the Epic malware to deploy a more sophisticated backdoor known as the “Cobra/Carbon system”, also named “Pfinet” by some anti-virus products. After some time, the attackers went further and used the Epic implant to update the “Carbon” configuration file with a different set of C&C servers. The unique knowledge to operate these two backdoors indicates a clear and direct connection between each other.

“The configuration updates for the ‘Carbon system’ malware are interesting, because this is another project from the Turla actor. This indicates that we are dealing with a multi-stage infection that begins with Epic Turla. The Epic Turla is used to gain a foothold and validate the high profile victim. If the victim is interesting, it gets upgraded to the full Turla Carbon system” explains Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab.

The “Epic” project has been used since at least 2012, with the highest volume of activity observed in January-February 2014. Most recently, Kaspersky Lab detected this attack against one of its users on August 5, 2014. Targets of “Epic”, as said before, belong to the following categories: government entities (Ministry of Interior, Ministry of Trade and Commerce, Ministry of Foreign/External affairs, intelligence agencies), embassies, military, research and education organizations and pharmaceutical companies.

Most of the victims are located in the Middle East and Europe, however, we observed victims in other regions as well, including in the USA. In total, Kaspersky Lab experts counted several hundred victim IPs distributed in more than 45 countries, with France at the top of the list.