Turla Update – ‘New Pass’
Telsy, a security partner for ICT solutions, recently noticed interesting activity in June 2020 which linked backed to a Russian APT known as Turla, which revolves around the use of an unseen tool dubbed by the firm as “NewPass”. NewPass is used to send data from victim devices to the command and control. Three components make this sophisticated malware work, a dropper, a loader, and the agent. The dropper deploys the binary file and is decoded and extracted by the loader, and the agent itself which communicates with the command and control server. NewPass itself would be used in conjunction with other malware or tactics to deploy the malicious files on the victim’s computer.
The dropper itself uses stealth and obfuscation to conceal its activities and make sandbox and manual analysis difficult. This involves using names of legitimate programs, having useless code packed into its 2.6MB file. The loader and dropper both share a JSON config file which the attacker can easily customize, possibly unused potential of the malware exists. The loader looks for the associated configuration file, “lib3dXquery.dll” made to look like a legitimate Adobe component, if not found the program terminates. The loader loads the last malicious library named “LastJournalsx32.adf”, hides it in a configuration file and pads the file with random bytes to change the hash value of the file at every infection. The JSON that has the configuration has been maintained throughout the configuration and consists of instructed as Telsy describes it. The JSON almost summarizes the entire malware process used, the files names of importance are clearly mentioned. The loader also supports multiple types of persistence through Service Manager, Task Scheduler, Registry Key or Windows GPO.
The agent itself is very simple but uses some interesting methods. The text data that is sends to the C2 server is sent by separated by keywords within the POST request, among which are the words “newpass”, “dbnew”, “passdb”, and so forth. The complete list and other IOC’s are available on the Telsy website. Values or the stolen data are encrypted in the HTTP message using of the keys in the JSON file. Detection can be based on the various IOC’s posted by Telsey and available through OTX, as well as other manners of anomaly detection.
Sources: