Russia-Based Turla Group Uses Dropbox to Store Stolen Data
Turla is a Russian-backed hacking group that has used a previously unknown malware toolset to deploy backdoors and steal sensitive documents in a targeted cyber-espionage campaign against such high-profile targets as the Ministry of Foreign Affairs of a EU country. The malware is known as ‘Crutch’ by its authors and was used in campaigns beginning in 2015 to at least early 2020 and is designed to help harvest and exfiltrate sensitive documents and other files of interest to Dropbox accounts controlled by the hacking group. Researchers at ESET claim that the level of sophistication of the attacks and technical details help to strengthen the belief that Turla group has considerable resources at their disposal and it’s important to note that the malware is able to bypass some security layers by abusing legitimate infrastructure, i.e. Dropbox, in order to blend their malicious network traffic with normal and expected network traffic. This is important as they can successfully hide their data exfiltration efforts and command-and-control traffic.
ESET researchers were able to link Crutch to the Russian Turla APT group based on similarities with the WhiteBear malware the threat actors used between 2016 and 2017. The use of the same RC4 key for decrypting payloads, identical filenames while being dropped on the same compromised machine in September 2017, and almost identical PDB paths are just a few of the strong links between the two observed by ESET.
It’s believed that Turla delivered Crutch as a second stage backdoor on already compromised machines using first-stage implants like Skipper during 2017, months after the initial compromise in some cases, and the open-source PowerShell Empire post-exploitation framework. Early versions of Crutch, between 2015 and mid-2019, used backdoor channels to communicate with hardcoded Dropbox account via the official HTTP API and drive monitoring tools without network capabilities that searched for and archived interesting documents as encrypted archives.
An updated version, labeled version 4 by ESET, added a removable-drive monitor with networking capabilities and removed the backdoor capabilities. However, it allows for a more hands-off approach since it is capable of automatically uploading the files found on local and removable drives to Dropbox storage by using the Windows version of the ‘Wget’ utility. Both versions use DLL hijacking to gain persistence on compromised devices on Chrome, Firefox, or OneDrive, with version 4 of crutch being dropped as an old Microsoft Outlook component.
Turla is a well known advanced persistent threat group that has compromised thousands of systems belonging to governments, embassies, as well as education and research facilities from more than 100 countries. Also known as Waterbug and VENOMOUS BEAR, the group has been active since as far back as 1996. They are the main suspect behind the attacks targeting the U.S. Pentagon and NASA, the U.S. Central Command, and the Finnish Foreign Ministry.
They are known for their unorthodox methods they use during their cyberattacks such as creating backdoor trojans with their own APIs, controlling malware using comment on Britney Spears Instagram photos, and even hijacking the infrastructure and malware of Iranian APT OilRig and using them in their own campaigns.
Sources: