Advertisment

Govt entities need to be wary of new Trojans, Symantec warns

author-image
Abhigna
New Update

PUNE, INDIA: As per Symantec's observations, a cyberespionage campaign involving malware known as Wipbot and Turla has systematically targeted the governments and embassies of a number of former Eastern Bloc countries.

Advertisment

Trojan.Wipbot (known by other vendors as Tavdig) is a back door used to facilitate reconnaissance operations before the attackers shift to long term monitoring operations using Trojan. Turla is known by other vendors as Uroboros, Snake, and Carbon. It appears that this combination of malware has been used for classic espionage-type operations for at least four years. 

As the security vendor explained ahead, Turla provides the attacker with powerful spying capabilities. Configured to start every time a computer starts, once the user opens a Web browser it opens up a back door that enables communication with the attackers. Through this back door, the attackers can copy files from the infected computer, connect to servers, delete files, and load and execute other forms of malware, among other capabilities.

The group behind Turla has been reported to be a two-pronged attack strategy that involves infecting victims through spear phishing emails and watering hole attacks. The watering hole attacks display competent compromise capabilities, with the attackers compromising a range of legitimate websites and only delivering malware to victims visiting from pre-selected IP address ranges. These compromised websites deliver a payload of Trojan.Wipbot. It is highly likely that Wipbot is then used as a downloader to deliver Turla to the victim.

Advertisment

While infections initially appeared to be spread over a range of European countries, closer analysis revealed that many infections in Western Europe occurred on computers that were connected to private government networks of former Eastern Bloc countries. These infections transpired to be in the embassies of these countries.

Analysis of infections revealed that the attackers were heavily focused on a small number of countries. For example, in May of 2012, the office of the prime minister of a former Soviet Union member country was infected. This infection spread rapidly and up to 60 computers at the prime minister's office were compromised.

At least five other countries in the region were targeted by similar attacks. While the attackers have largely focused on the former Eastern Bloc, a number of other targets were found. These included the ministry for health of a Western European country, the ministry for education of a Central American country, a state electrical authority in the Middle East, and a medical organization in the US, the company explained.

Advertisment

The group behind Turla uses spear phishing emails and watering hole attacks to infect victims. Some of the spear phishing emails purported to come from a military attaché at a Middle Eastern embassy and had an attachment masquerading as the minutes of meetings. Opening the attachment resulted in Trojan.

Symantec has been tracking the activities of the group behind Turla for a number of years. The identity of the attackers has yet to be established, although timestamps from activity associated with the attacks indicates that most activity occurs during the standard working day of the UTC +4 time zone.

Turla is an evolution of an older piece of malware, Trojan.Minit, which has been in operation since 2004. The current campaign is the work of a well-resourced and technically competent attack group, that is capable of penetrating many network defenses. It is focused on targets that would be of interest to a nation state, with spying and theft of sensitive data among its objectives.