Researchers Reveal New Turla APT Group’s Tiny BackDoor Tactics

Using MSBuild, the deploys project files to execute a fileless backdoor, enabling remote system control.

by Ashish Khaitan May 20, 2024 in Firewall Daily, Cybersecurity News, Dark Web News Reading Time: 3 mins read 0

614 SHARES 3.4k VIEWS Share on LinkedInShare on Twitter

Cyble Research and Intelligence Labs (CRIL) has discovered a sophisticated cyber campaign employing malicious , potentially distributed through spam emails. This intricate operation, possibly orchestrated by the notorious (APT) group, employs human rights seminar invitations and public advisories as bait to infiltrate users' systems with a nefarious payload.

The threat actors (TAs) showcase a high level of sophistication by embedding lure PDFs and files within the .LNK files, ensuring a seamless execution process. Leveraging the (MSBuild), the TA executes these project files to deploy a stealthy, fileless final payload, acting as a backdoor to facilitate remote control over the compromised system.

Turla APT Group Infection Chain

The attack unfolds with a malicious .LNK file concealed within a ZIP archive, potentially delivered via phishing emails. Upon execution, the .LNK file triggers a PowerShell script, initiating a sequence of operations. These operations include extracting content from the .LNK file and creating three distinct files in the %temp% location: a lure PDF, encrypted data, and a custom MSBuild project.

The disguised .LNK file triggers a PowerShell script, which then opens the lure PDF while silently executing the embedded MSBuild project.

This project file, containing encrypted content, employs the Rijndael algorithm to decrypt data, subsequently executing a final backdoor payload.

The decrypted MSBuild project file, when executed using MSBuild.exe, runs an inline task directly in memory. This task enables the backdoor to initiate various operations, including monitoring processes, executing commands, and communicating with a Command and Control (C&C) server for further instructions.

Threat Actor Attribution to Turla APT Group

According to CRIL, the threat actor behind this campaign is the Turla APT group due to Russian-language comments in the code and behavioral similarities with previous Turla campaigns. The group's focus on targeting NGOs aligns with the lure documents referencing human rights seminars.

The utilization of MSBuild and other legitimate applications highlights the persistent nature of the threat actor. By exploiting inherent functionalities, the Turla APT group can evade conventional security measures. Organizations must adopt a multi-layered security approach to mitigate risks effectively.

To fortify defenses against sophisticated threats like the Turla APT group, organizations should adopt key cybersecurity measures. This includes implementing robust email filtering to block malicious attachments and exercising caution when handling email attachments from unknown sources. 

Limiting access to development tools such as MSBuild to authorized personnel helps prevent misuse while disabling unnecessary scripting languages like PowerShell reduces the risk of exploitation. Establishing network-level monitoring is crucial for detecting and responding to anomalous activities swiftly. These practices collectively enhance security posture, safeguarding sensitive data and systems from cyber threats.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button