Kaspersky Lab experts discovered that the Russian-linked hacker collective known as Turla are now using a new JavaScript malware to profile their targets.
Turla Group Uses a New Dangerous Malware
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
The Turla hacker collective is a group of criminal operators that has been active since at least 2007. Many security experts believe that its members originate from Russia and that they are responsible for several high-profile attacks. Examples include an intrusion attempt against the RUAH Swiss defense company and the United States Central Command. The hackers are also known under the aliases of Waterbug, Venomous Bear and KRYPTON. Their primary tools include Turla (Snake and Uroburos), Epic Turla (Wipbot and Tavdig) and Gloog Turla.
The hackers have targeted organizations located mainly in Europe and The United States. The recent campaigns were observed to target institutions and companies located in Romania, Qatar and Greece. Kaspersky issued a report to its customers in June 2016 which shows that the Turla collective has started to use a JavaScript payload known as Icedcoffee to deliver malware via malicious macro-enabled documents. In November 2016 the experts discovered a new JavaScript payload that is designed mainly to avoid detection by the installed security measures.
The malware is called KopiLuwak has infected at least one victim using a document that contains official correspondence delivered from the Embassy of Qatar in Cyprus to the country’s Ministry of Foreign Affairs. The message is spoofed to appear as a legitimate document the experts believe it may have breached the diplomatic institution. The final payload is hidden under several JavaScript layer. When it achieves persistence it creates a registry key and then the malware executes a series of commands to try to gather information about the system. The harvested data is stored in a temporary data that is deleted when the encryption phase is complete. The virus attempts to contact its main C&C remote malicious servers. The server addresses are hardcoded into the malware itself. The remote C&C server can instruct the virus to carry out various types of actions:
-
Sleep or Disable the malware
-
Terminate C&C communications until a reboot (or another power event)
-
Remove the malware from the infected host
-
Arbitrary remote code execution
One of the C&C domains has already expired which allowed the researchers to acquire it and utilize it as a sinkhole. Using this mechanism the researchers discovered that some of the connected hosts are associated with the Greek Parliament.
For more information you can read Kaspersky’s in-depth blog post.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter