Analyzing the Newest Turla Backdoor
Essential information
- Published
- 27/09/2024 17:23
- Modified
- 27/09/2024 17:47
- Tags
- 2024-09-27 apt backdoor
- Related entities
- 5 observables, 1 intrusion sets (apt), 19 techniques (mitre)
Description
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using MSBuild. The final payload is a fileless backdoor obfuscated with SmartAssembly. The backdoor implements custom commands for file creation and PowerShell script execution. It communicates with the C2 server using encrypted and encoded data. The analysis reveals sophisticated techniques to avoid detection, including DLL mapping to bypass hooks and patching of ETW and AMSI-related functions.