A malware family discovered in espionage attacks against the defense sector in Ukraine and Eastern Europe has been linked to the Turla Russian APT by CERT-UA, Ukraine’s governmental computer emergency response team, in a new alert this week.
The malware, tracked as Capibar by CERT-UA (also tracked as DeliveryCheck by Microsoft and GAMEDAY by Mandiant), is distributed through email attachments with malicious macros. The malware in some cases was observed executing Kazuar, a known backdoor with numerous data-stealing capabilities that has previously been linked to Turla.
CERT-UA said that the malware has been tracked since 2022, and Mandiant researchers said they observed the malware being spread this year in January and February via weaponized Excel sheets, and then from May through July. The activity was observed as recently as July 15, where it peaked to its highest levels, said Mandiant researchers.
Overall, the purpose of the campaign appears to be espionage: “The threat actor specifically aims to exfiltrate files containing messages from the popular Signal Desktop messaging application, which would allow the actor to read private Signal conversations, as well as documents, images, and archive files on targeted systems,” said researchers with Microsoft on Wednesday.
According to CERT-UA, which worked with Microsoft in analyzing the campaign and has also distributed the malicious samples to other security companies, the threat actor targeted Microsoft Exchange servers to install server-side components of the malware by leveraging Desired State Configuration (DSC), a feature in PowerShell that automates the configuration of Windows and Linux operating systems.
“DSC generates a Managed Object Format (MOF) file containing a PowerShell script that loads the embedded .NET payload into memory, effectively turning a legitimate server into a malware C2 center,” according to Microsoft.
The malware establishes persistence via a scheduled task that downloads and launches it in memory. It also establishes contact with a command-and-control (C2) server to retrieve commands, including launching payloads that are embedded in Extensible Stylesheet Language Transformation (XSLT) stylesheets.
"Turla continues to shift from using large, modular malware frameworks to smaller and less sophisticated tools to launch their tried-and-true malware such as Kazuar.”
After infection, the malware was observed loading Kazuar on impacted computers. The backdoor has the capability to obtain data from OS logs; steal authentication data, passcodes and cookies; steal browser, VPN and Signal passwords; and steal databases and configuration files of programs like Azure, KeePass, AWS and more. The targeting of Signal in this campaign is also noteworthy. While Kazuar has been around since 2017, Turla has refocused their exfiltration efforts over time beyond email to target new or emerging technologies, said Gabby Roncone, associate principal analyst with Google Cloud’s Mandiant team.
"Turla continues to shift from using large, modular malware frameworks to smaller and less sophisticated tools to launch their tried-and-true malware such as Kazuar,” said Roncone.
The malware also leverages the legitimate rclone open-source command line program for data exfiltration, a departure from the group’s use of more customized and sophisticated data exfiltration tools like the Crutch backdoor. Dan Black, principal analyst with Google Cloud’s Mandiant team, said “Turla is known to be judicious about when and where to use its more sophisticated, expensive tools.”
“Turla operators are aware that capabilities in play in Ukraine are at high risk of detection,” said Black. “Rather than reaching for the top-shelf, they've likely prioritized open-source tools that can be burned without exposing significant new tactics or capability.”
Both CERT-UA and security researchers attributed the attacks to Turla, due to the use of Kazuar in the attacks as well as other similar tactics around obfuscation mechanisms and techniques for loading payloads from the registry. The Russian APT group has been linked to high-profile and sophisticated attacks for decades, with many of these hitting U.S. agency and military networks. Beyond Capibar, Turla has also been known to develop new tools and backdoors over the years, including one called TinyTurla discovered in 2021 that researchers believe serves as a backup persistence mechanism for the group to maintain access to compromised machines. These operations were carried out for years before security researchers identified Turla in 2014 and began to detail its operations and toolsets, including the Snake malware.
In May, the FBI announced it had dismantled a global network of computers infected by Snake by obtaining access remotely to the infected computers and issuing commands causing the Snake malware to overwrite its own components. Though security researchers applauded the move at the time and said it would likely force Turla to carry out some retooling, they said it wouldn’t make the group go away, as evidenced through this latest campaign.
Turla’s malware campaign is the latest cyberattack targeted at Ukraine that has been tied back to Russia. In June, security researchers detailed the threat actor behind the destructive WhisperGate malware - deployed in January 2022 attacks against several Ukrainian organizations - and identified the group as a distinct team linked to Russia’s GRU military intelligence service. And in March, researchers exposed activity by the Russian Winter Vivern APT targeting government and private organizations in Ukraine, Poland, and other countries, especially those organizations that are supporting Ukraine in its defense against the Russian invasion.