|By Business Wire||
|August 7, 2014 10:01 AM EDT||
Turla, also known as Snake or Uroburos is one of the most sophisticated ongoing cyber-espionage campaigns. When the first research on Turla/Snake/Uroburos was published, it didn’t answer one major question: how do victims get infected?
The latest Kaspersky Lab research on this operation reveals that Epic is the initial stage of the Turla victim infection mechanism.
Turla big picture:
- Epic Turla / Tavdig: The early-stage infection mechanism.
- Cobra Carbon system/ Pfinet (+others): Intermediary upgrades and communication plugins.
- Snake / Uroburos: High-grade malware platform that includes a rootkit and virtual file systems.
The “Epic” project has been used since at least 2012, with the highest volume of activity observed in January-February 2014. Most recently, Kaspersky Lab detected this attack against one of its users on August 5, 2014.
Targets of “Epic” belong to the following categories: government entities (Ministry of Interior, Ministry of Trade and Commerce, Ministry of Foreign/External affairs, intelligence agencies), embassies, military, research and education organizations and pharmaceutical companies.
Most of the victims are located in the Middle East and Europe, however, we observed victims in other regions as well, including in the USA. In total, Kaspersky Lab experts counted several hundred victim IPs distributed in more than 45 countries, with France at the top of the list.
The attack. The Kaspersky Lab’s researchers discovered that the Epic Turla attackers use zero-day exploits, social engineering and watering hole techniques attacks to infect victims.
In the past, they used at least two zero-day exploits: one for Escalation of Privileges (EoP) in Windows XP and Windows Server 2003 (CVE-2013-5065) which allows the Epic backdoor to achieve administrator privileges on the system and run unrestricted; and an exploit in Adobe Reader (CVE-2013-3346) that is used in malicious e-mail attachments.
Whenever an unsuspecting user opens a maliciously-crafted PDF file on a vulnerable system, the machine will automatically get infected, allowing the attacker to gain immediate and full control over the target system.
The attackers use both direct spear-phishing e-mails and watering hole attacks to infect victims. The attacks detected in this operation fall into several different categories depending on the initial infection vector used in compromising the victim:
● Spear-phishing e-mails with Adobe PDF exploits (CVE-2013-3346 + CVE-2013-5065)
● Social engineering to trick the user into running malware installers with “.SCR” extension, sometimes packed with RAR
● Watering hole attacks using Java exploits (CVE-2012-1723), Adobe Flash exploits (unknown) or Internet Explorer 6, 7, 8 exploits (unknown)
● Watering hole attacks that rely on social engineering to trick the user into running fake “Flash Player” malware installers
Watering holes are websites commonly visited by potential victims. These websites are compromised in advance by the attackers and injected to serve malicious code. Depending on the visitor’s IP address (for instance, a government organization’s IP), the attackers serve Java or browser exploits, signed fake Adobe Flash Player software or a fake version of Microsoft Security Essentials. In total, we have observed more than 100 injected websites. The choice of the websites reflects specific interest of attackers. For example, many of infected Spanish websites belong to local governments.
Once the user is infected, the Epic backdoor immediately connects to the command-and-control (C&C) server to send a pack with the victim’s system information. The backdoor is also known as “WorldCupSec”, “TadjMakhal”, “Wipbot” or “Tadvig”.
Once a system is compromised, the attackers receive brief summary information from the victim, and based on that, they deliver pre-configured batch files containing a series of commands for execution. In addition to these, the attackers upload custom lateral movement tools. These include a specific keylogger tool, a RAR archiver and standard utilities like a DNS query tool from Microsoft.
Turla’s first stage:
During the analysis, Kaspersky Lab researchers observed the attackers using the Epic malware to deploy a more sophisticated backdoor known as the “Cobra/Carbon system”, also named “Pfinet” by some anti-virus products. After some time, the attackers went further and used the Epic implant to update the “Carbon” configuration file with a different set of C&C servers. The unique knowledge to operate these two backdoors indicates a clear and direct connection between each other.
“The configuration updates for the ‘Carbon system’ malware are interesting, because this is another project from the Turla actor. This indicates that we are dealing with a multi-stage infection that begins with Epic Turla. The Epic Turla is used to gain a foothold and validate the high profile victim. If the victim is interesting, it gets upgraded to the full Turla Carbon system” explains Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab.
The attackers behind Turla are clearly not native English speakers. They commonly misspell words and expressions, such as:
- Password it’s wrong!
- File is not exists
- File is exists for edit
There are other indications which provide a hint at the origin of the attackers. For instance, some of the backdoors have been compiled on a system with Russian language. Additionally, the internal name of one of the Epic backdoors is "Zagruzchik.dll", which means "bootloader" or "load program" in Russian.
Finally, the Epic mothership control panel sets the code page to 1251, which is used for Cyrillic characters.
Links with other threat actors:
Interestingly, possible connections with different cyber-espionage campaigns have been observed. In February 2014, Kaspersky Lab experts observed that the threat actor known as Miniduke were using the same web-shells to manage infected web servers as the Epic team did.
To learn more about the “Epic Turla” operation, please read the blog post available at Securelist.com.
About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report "Worldwide Endpoint Security 2013–2017 Forecast and 2012 Vendor Shares (IDC #242618, August 2013). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2012.
For the latest in-depth information on security threat issues and trends, please visit:
Follow @Securelist on Twitter
Follow @Threatpost on Twitter
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform. In his session at @ThingsExpo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and shared the must-have mindsets for removing complexity from the develo...
Jul. 26, 2016 02:00 AM EDT Reads: 1,297
SYS-CON Events announced today that MangoApps will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. MangoApps provides modern company intranets and team collaboration software, allowing workers to stay connected and productive from anywhere in the world and from any device.
Jul. 26, 2016 01:45 AM EDT Reads: 1,296
The IETF draft standard for M2M certificates is a security solution specifically designed for the demanding needs of IoT/M2M applications. In his session at @ThingsExpo, Brian Romansky, VP of Strategic Technology at TrustPoint Innovation, explained how M2M certificates can efficiently enable confidentiality, integrity, and authenticity on highly constrained devices.
Jul. 26, 2016 01:30 AM EDT Reads: 984
The 19th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Digital Transformation, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportuni...
Jul. 26, 2016 01:15 AM EDT Reads: 2,517
In today's uber-connected, consumer-centric, cloud-enabled, insights-driven, multi-device, global world, the focus of solutions has shifted from the product that is sold to the person who is buying the product or service. Enterprises have rebranded their business around the consumers of their products. The buyer is the person and the focus is not on the offering. The person is connected through multiple devices, wearables, at home, on the road, and in multiple locations, sometimes simultaneously...
Jul. 26, 2016 12:45 AM EDT Reads: 629
“delaPlex Software provides software outsourcing services. We have a hybrid model where we have onshore developers and project managers that we can place anywhere in the U.S. or in Europe,” explained Manish Sachdeva, CEO at delaPlex Software, in this SYS-CON.tv interview at @ThingsExpo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Jul. 26, 2016 12:00 AM EDT Reads: 1,540
"We've discovered that after shows 80% if leads that people get, 80% of the conversations end up on the show floor, meaning people forget about it, people forget who they talk to, people forget that there are actual business opportunities to be had here so we try to help out and keep the conversations going," explained Jeff Mesnik, Founder and President of ContentMX, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Jul. 25, 2016 11:15 PM EDT Reads: 1,310
From wearable activity trackers to fantasy e-sports, data and technology are transforming the way athletes train for the game and fans engage with their teams. In his session at @ThingsExpo, will present key data findings from leading sports organizations San Francisco 49ers, Orlando Magic NBA team. By utilizing data analytics these sports orgs have recognized new revenue streams, doubled its fan base and streamlined costs at its stadiums. John Paul is the CEO and Founder of VenueNext. Prior ...
Jul. 25, 2016 11:15 PM EDT Reads: 2,014
Internet of @ThingsExpo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with the 19th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world and ThingsExpo Silicon Valley Call for Papers is now open.
Jul. 25, 2016 10:00 PM EDT Reads: 2,505
The IoT is changing the way enterprises conduct business. In his session at @ThingsExpo, Eric Hoffman, Vice President at EastBanc Technologies, discussed how businesses can gain an edge over competitors by empowering consumers to take control through IoT. He cited examples such as a Washington, D.C.-based sports club that leveraged IoT and the cloud to develop a comprehensive booking system. He also highlighted how IoT can revitalize and restore outdated business models, making them profitable ...
Jul. 25, 2016 08:30 PM EDT Reads: 1,940
With 15% of enterprises adopting a hybrid IT strategy, you need to set a plan to integrate hybrid cloud throughout your infrastructure. In his session at 18th Cloud Expo, Steven Dreher, Director of Solutions Architecture at Green House Data, discussed how to plan for shifting resource requirements, overcome challenges, and implement hybrid IT alongside your existing data center assets. Highlights included anticipating workload, cost and resource calculations, integrating services on both sides...
Jul. 25, 2016 08:00 PM EDT Reads: 1,979
Big Data engines are powering a lot of service businesses right now. Data is collected from users from wearable technologies, web behaviors, purchase behavior as well as several arbitrary data points we’d never think of. The demand for faster and bigger engines to crunch and serve up the data to services is growing exponentially. You see a LOT of correlation between “Cloud” and “Big Data” but on Big Data and “Hybrid,” where hybrid hosting is the sanest approach to the Big Data Infrastructure pro...
Jul. 25, 2016 07:30 PM EDT Reads: 1,893
"We are a well-established player in the application life cycle management market and we also have a very strong version control product," stated Flint Brenton, CEO of CollabNet,, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Jul. 25, 2016 07:15 PM EDT Reads: 1,798
We all know the latest numbers: Gartner, Inc. forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from last year, and will reach 20.8 billion by 2020. We're rapidly approaching a data production of 40 zettabytes a day – more than we can every physically store, and exabytes and yottabytes are just around the corner. For many that’s a good sign, as data has been proven to equal money – IF it’s ingested, integrated, and analyzed fast enough. Without real-ti...
Jul. 25, 2016 07:15 PM EDT Reads: 1,024
I wanted to gather all of my Internet of Things (IOT) blogs into a single blog (that I could later use with my University of San Francisco (USF) Big Data “MBA” course). However as I started to pull these blogs together, I realized that my IOT discussion lacked a vision; it lacked an end point towards which an organization could drive their IOT envisioning, proof of value, app dev, data engineering and data science efforts. And I think that the IOT end point is really quite simple…
Jul. 25, 2016 06:30 PM EDT Reads: 998
A critical component of any IoT project is what to do with all the data being generated. This data needs to be captured, processed, structured, and stored in a way to facilitate different kinds of queries. Traditional data warehouse and analytical systems are mature technologies that can be used to handle certain kinds of queries, but they are not always well suited to many problems, particularly when there is a need for real-time insights.
Jul. 25, 2016 06:15 PM EDT Reads: 1,760
Unless your company can spend a lot of money on new technology, re-engineering your environment and hiring a comprehensive cybersecurity team, you will most likely move to the cloud or seek external service partnerships. In his session at 18th Cloud Expo, Darren Guccione, CEO of Keeper Security, revealed what you need to know when it comes to encryption in the cloud.
Jul. 25, 2016 06:00 PM EDT Reads: 2,444
We're entering the post-smartphone era, where wearable gadgets from watches and fitness bands to glasses and health aids will power the next technological revolution. With mass adoption of wearable devices comes a new data ecosystem that must be protected. Wearables open new pathways that facilitate the tracking, sharing and storing of consumers’ personal health, location and daily activity data. Consumers have some idea of the data these devices capture, but most don’t realize how revealing and...
Jul. 25, 2016 06:00 PM EDT Reads: 2,079
You think you know what’s in your data. But do you? Most organizations are now aware of the business intelligence represented by their data. Data science stands to take this to a level you never thought of – literally. The techniques of data science, when used with the capabilities of Big Data technologies, can make connections you had not yet imagined, helping you discover new insights and ask new questions of your data. In his session at @ThingsExpo, Sarbjit Sarkaria, data science team lead ...
Jul. 25, 2016 03:45 PM EDT Reads: 971
Extracting business value from Internet of Things (IoT) data doesn’t happen overnight. There are several requirements that must be satisfied, including IoT device enablement, data analysis, real-time detection of complex events and automated orchestration of actions. Unfortunately, too many companies fall short in achieving their business goals by implementing incomplete solutions or not focusing on tangible use cases. In his general session at @ThingsExpo, Dave McCarthy, Director of Products...
Jul. 25, 2016 03:30 PM EDT Reads: 1,703