{"id":14991,"date":"2014-08-07T16:14:07","date_gmt":"2014-08-07T16:14:07","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2350"},"modified":"2019-11-15T07:14:28","modified_gmt":"2019-11-15T12:14:28","slug":"epic-turla-catching-the-reptiles-tail","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/epic-turla-catching-the-reptiles-tail\/14991\/","title":{"rendered":"Epic Turla \u2013 catching the reptile&#8217;s tail"},"content":{"rendered":"<p>Over the last 10 months Kaspersky Lab researchers have been monitoring and analyzing a massive cyber-espionage which we designated as \u201cEpic Turla\u201d. So far the attackers behind it have infected several hundred computers in more than 45 countries, including those in government institutions, embassies, military, education, research and pharmaceutical companies. While the military and governmental entities are a common target for cyberspies, it does look like cybercriminals these days have some very special interest in the pharmaceutical sector. Recently reported MiniDuke and Crouching Yeti\/Energetic Bear campaigns are also tracking players in that sector.<\/p>\n<p style=\"text-align: center\">\n<\/p><p>\u00a0<\/p>\n<p>But, back to Turla. It\u2019s been known for some time, however, the biggest question remaining was its infection vector. Now, our analysis indicates that victims are infected via a sophisticated multi-stage attack, which begins with the Epic Turla. In time, as the attackers gain confidence, this is upgraded to more complex backdoors, such as the Carbon\/Cobra system. Sometimes, both backdoors are run in tandem, and used to \u201crescue\u201d each other if communications are lost with one of the backdoors.<\/p><blockquote class=\"twitter-pullquote\"><p>#Turla \u2013 an #epically sophisticated #APT campaign attacked victims in 45 countries. #enterprisesec #protectmybiz<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2Ffd92&amp;text=%23Turla+%E2%80%93+an+%23epically+sophisticated+%23APT+campaign+attacked+victims+in+45+countries.+%23enterprisesec+%23protectmybiz+\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Once the attackers obtain the necessary credentials without the victim noticing, they deploy the rootkit and other extreme persistence mechanisms. In other words, Epic Turla comes to stay.<\/p>\n<p>The attacks are known to have used at least two zero-day exploits:<\/p>\n<ul>\n<li><a href=\"http:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2013-5065\" target=\"_blank\" rel=\"noopener nofollow\">CVE-2013-5065<\/a> \u2013 privilege escalation vulnerability in Windows XP and Windows Server 2003<\/li>\n<li><a href=\"http:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2013-3346\" target=\"_blank\" rel=\"noopener nofollow\">CVE-2013-3346<\/a> \u2013 Arbitrary code-executing vulnerability in Adobe Reader<\/li>\n<\/ul>\n<p>Yet another proof that a) Windows XP and Windows Server 2003 are still widely used; b) they are attackers\u2019 favorites, too.<\/p>\n<p style=\"text-align: center\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/08\/06020058\/stats-1.png\"><img decoding=\"async\" class=\"aligncenter wp-image-2352 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/08\/06020058\/stats-1.png\" alt=\"stats\" width=\"433\" height=\"462\"><\/a><\/p>\n<p>Then there is yet another vulnerability in Adobe Reader, not exactly the most recent one, but still largely unpatched, apparently, despite the extreme danger it poses. Whenever an unsuspecting user opens a maliciously-crafted PDF file on a vulnerable system, the machine will automatically get infected, allowing the attacker to gain immediate and full control over the target system.<\/p>\n<p>The attackers use both direct spear-phishing e-mails and watering hole attacks to infect victims. The attacks detected in this operation fall into several different categories depending on the initial infection vector used in compromising the victim:<\/p>\n<ul>\n<li>\u00a0\u00a0 Spear-phishing e-mails with Adobe PDF exploits<\/li>\n<li>\u00a0\u00a0 Social engineering to trick the user into running malware installers with \u201c.SCR\u201d extension, sometimes packed with RAR<\/li>\n<li>\u00a0\u00a0 Watering hole attacks using Java exploits (CVE-2012-1723), Adobe Flash exploits (unknown) or Internet Explorer 6, 7, 8 exploits (unknown)<\/li>\n<li>\u00a0\u00a0 Watering hole attacks that rely on social engineering to trick the user into running fake \u201cFlash Player\u201d malware installers<\/li>\n<\/ul>\n<p>Watering holes are websites commonly visited by potential victims. These websites are compromised in advance by the attackers and injected to serve malicious code. Depending on the visitor\u2019s IP address (for instance, a government organization\u2019s IP), the attackers serve Java or browser exploits, signed fake Adobe Flash Player software or a fake version of Microsoft Security Essentials. In total, we have observed more than 100 injected websites. The choice of the websites reflects specific interest of attackers. For example, many of infected Spanish websites belong to local governments. <\/p><blockquote class=\"twitter-pullquote\"><p>#AdobeReader requires a special #security treatment. #enterprisesec #protectmybiz<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2Ffd92&amp;text=%23AdobeReader+requires+a+special+%23security+treatment.+%23enterprisesec+%23protectmybiz+\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Once the user is infected this or that way, the Epic backdoor (also known as \u201cWorldCupSec\u201d, \u201cTadjMakhal\u201d, \u201cWipbot\u201d or \u201cTadvig\u201d) immediately connects to the command-and-control (C&amp;C) server to send a pack with the victim\u2019s system information. Based on that, attackers deliver pre-configured batch files containing a series of commands for execution. In addition to these, the attackers upload custom lateral movement tools. These include a specific keylogger tool, a RAR archiver and standard utilities like a DNS query tool from Microsoft.<\/p>\n<p>During the analysis, Kaspersky Lab researchers observed the attackers using the Epic malware to deploy a more sophisticated backdoor known as the \u201cCobra\/Carbon system\u201d, also named \u201cPfinet\u201d by some anti-virus products. After some time, the attackers went further and used the Epic implant to update the \u201cCarbon\u201d configuration file with a different set of C&amp;C servers. The unique knowledge to operate these two backdoors indicates a clear and direct connection between each other.<\/p>\n<p>\u201cThe configuration updates for the \u2018Carbon system\u2019 malware are interesting, because this is another project from the Turla actor. This indicates that we are dealing with a multi-stage infection that begins with Epic Turla. The Epic Turla is used to gain a foothold and validate the high profile victim. If the victim is interesting, it gets upgraded to the full Turla Carbon system\u201d explains Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab.<\/p>\n<p>The \u201cEpic\u201d project has been used since at least 2012, with the highest volume of activity observed in January-February 2014. Most recently, Kaspersky Lab detected this attack against one of its users on August 5, 2014. Targets of \u201cEpic\u201d, as said before, belong to the following categories: government entities (Ministry of Interior, Ministry of Trade and Commerce, Ministry of Foreign\/External affairs, intelligence agencies), embassies, military, research and education organizations and pharmaceutical companies.<\/p>\n<p>Most of the victims are located in the Middle East and Europe, however, we observed victims in other regions as well, including in the USA. In total, Kaspersky Lab experts counted several hundred victim IPs distributed in more than 45 countries, with France at the top of the list.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kaspersky Lab released results of a 10-months long analysis of Epic Turla APT campaign, which is still active. One of the most sophisticated cyber-espionage campaigns, it attacked victims in 45 countries.<\/p>\n","protected":false},"author":209,"featured_media":15778,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[510,2035,282,2145,422],"class_list":{"0":"post-14991","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-analysis","10":"tag-cyber-espionage","11":"tag-cybersecurity","12":"tag-epic-turla","13":"tag-threats"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/epic-turla-catching-the-reptiles-tail\/14991\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/epic-turla-catching-the-reptiles-tail\/14991\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/epic-turla-catching-the-reptiles-tail\/14991\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/analysis\/","name":"analysis"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14991","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=14991"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14991\/revisions"}],"predecessor-version":[{"id":30766,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14991\/revisions\/30766"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15778"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=14991"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=14991"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=14991"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}