It has been observed by researchers that a Russia-based threat actor, Turla, has been observed using a new malware toolset capable of stealing sensitive documents. The attacks were directed at the Ministry of Foreign Affairs of a European Union country along with other high-profile targets.
Dubbed as Crutch by its operators, the previously undocumented backdoor is designed to harvest and exfiltrate sensitive documents and other files to Dropbox accounts managed by Turla.
The main focus of its operators is on reconnaissance, lateral movement, and espionage. In addition, the main malicious activity consisted of staging, compression, and exfiltration of documents.
- Zip files are uploaded by them to dropbox account that contains commands for the backdoor.
- Crutch is being spread by the threat actors as a second stage backdoor on already compromised machines by using first-stage implants such as Skipper, and PowerShell Empire post-exploitation framework.
- Crutch v4, the recent version, added a removable-drive monitor with networking capabilities. It is capable of automatically uploading the files saved on local and removable drives to Dropbox.
Recent activities
Turla has been actively targeting governments, embassies, educational institutions, and research facilities in the last two months.
- In the last month, eight new malware samples were disclosed by the U.S. Cyber Command, of which six belonged to ComRAT and two to Zebrocy.
- Additionally, they also hacked into the systems of an unnamed European government organization.
The Turla group is actively updating its older malware to target several industries around the world. Hence, our internal experts suggest using a reliable anti-malware solution like eScan Antivirus, software/hardware system for computer and network security, and implementing security mechanisms for common infection vectors.
To read more, please check eScan Blog
