New Turla Cyber-espionage Malware Disguises as Adobe Flash Player installer

ESET researchers have uncovered state-sponsored hacking operationtargeting diplomats, using a new attack that bundles malware with a legitimate software update.

The attacks are targeting embassies and consulates in eastern European post-Soviet states and have been attributed to Turla, a well-known advanced persistent threat group

The ESET research shows that in addition to bundling its backdoors with a legitimate Flash Player installer, it now also ensures that URLs and the IP addresses it uses appear to correspond to Adobe’s legitimate infrastructure so that victims are convinced  they are downloading authentic software from adobe.com.

Attacks using The new malicious tool are believed to have begun by July 2016; they shares similarities with other malware families spread by the group including use of Mosquito, a backdoor believed created by Turla, as well as using IP addresses previously linked with the group.

ESET point out that Turla’s malware is not known to have tainted any legitimate Flash Player updates, nor is it associated with any known Adobe product vulnerabilities.

Possible attack vectors ESET researchers considered are:

• A machine within the network of the victim’s organisation could be hijacked so that it acts as a springboard for a local Man-in-the-Middle (MitM) attack.
• The attackers could compromise the network gateway of an organisation, enabling them to intercept all the incoming and outgoing traffic between that organisation’s intranet and the internet.
• The traffic interception could also occur at the level of internet service providers (ISPs), a tactic seen in recent ESET research into surveillance campaigns deploying FinFisher spyware.
• The attackers could have used a Border Gateway Protocol (BGP) hijack to re-route the traffic to a server controlled by Turla, although ESET notes that this tactic would probably quickly set off alarm bells with Adobe or BGP monitoring services.

Once the fake Flash installer is downloaded and launched, one of several backdoors is dropped. It could be Mosquito, a piece of Win32 malware, a malicious JavaScript file communicating with a web app hosted on Google Apps Script, or an unknown file downloaded from a bogus and non-existent Adobe URL.

Exfiltration of sensitive data can then begin and will include the unique ID of the compromised machine, the username, and the list of security products installed on the device. ‘Only’ the username and device name are exfiltrated by Turla’s backdoor Snake on macOS.

Finally, the fake installer drops – or downloads – and then runs a legitimate Flash Player application whose installer is either embedded in its fake counterpart or is downloaded from a Google Drive web address.