Kaspersky Lab researchers monitoring the various clusters of the long standing, Russian-speaking threat actor, Turla (also known as Snake or Uroburos) have discovered that the most recent evolution of its KopiLuwak malware is delivered to victims using code nearly identical to that used just a month earlier by the Zebrocy operation, a subset of Sofacy (also known as Fancy Bear and APT28), another long standing Russia-speaking threat actor.

 

The researchers also found target overlap between the two threat actors, centered on geopolitical hotspots in central Asia and sensitive government and military entities.

 

The findings are included in an overview of the latest evolution and activity of four active clusters attributed to the Turla threat actor, published today by Kaspersky Lab’s Global Research and Analysis team.

 

KopiLuwak (the name derives from a rare type of coffee), was first discovered in November 2016, delivering documents containing malware and with macros enabled that dropped new, heavily obfuscated Javascript malware designed for system and network reconnaissance.

 

The most recent evolution of KopiLuwak was observed in mid-2018, when researchers noticed new targets in Syria and Afghanistan. Turla used a new spear-phishing delivery vector with Windows shortcut (.LNK) files.

 

Analysis showed that the LNK file contained PowerShell to decode and drop the KopiLuwak payload. This PowerShell was almost identical to that used in Zebrocy activity a month earlier.

 

The researchers also found some targeting overlap between the two threat actors, focused on sensitive political targets, including government research and security entities, diplomatic missions and military affairs, mainly in central Asia.

 

Other Turla malware clusters tracked by the researchers during 2018 include those known as Carbon and Mosquito.

 

In their overview, the researchers provide further evidence to support the hypothesis that Wi-Fi networks were abused by Turla to deliver Mosquito malware to victims, a practice that may be tapering off.

 

They also found further modification of the mature and powerful Carbon cyberespionage framework, which has traditionally been installed only very selectively on victims of particular interest, and expect to see further code modifications and selective deployment of this malware into 2019.

 

The 2018 targets for the Turla malware clusters include the Middle East and Northern Africa, as well as parts of Western and Eastern Europe, Central and South Asia, and the Americas.

 

“Turla is one of the oldest, most enduring and capable known threat actors, renowned for constantly shedding its skin and trying out new innovations and approaches. Our research into its main malware clusters during 2018 shows that it continues to regrow and experiment. However, it is worth noting that while other Russia-speaking threat actors like CozyDuke (APT29) and Sofacy were targeting organizations in the west, such as allegedly hacking the Democratic National Committee in 2016, Turla was quietly deploying its operations towards the east, where their activity and, more recently, even their delivery techniques began to overlap with Sofacy’s Zebrocy subset. Our research suggests Turla’s code development and implementation is ongoing, and organizations that believe they could be a target should prepare for this.” said Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab’s GReAT team.

 

Kaspersky Lab recommends that to reduce the risk of falling victim to advanced targeted attack operations, organizations may wish to consider the following actions:

  • Use a proven corporate grade security solution in combination with anti-targeted attack technologies and threat intelligence, like the Kaspersky Threat Management and Defense solution. These are capable of spotting and catching advanced targeted attacks by analyzing network anomalies, and give cybersecurity teams full visibility over the network and response automation.

 

  • Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack research and prevention, such as indicators of compromise (IOC), YARA and customized advanced threat reporting.

 

  • Make sure enterprise grade patch management processes are well established and double check all system configurations and implement best practices.

 

  • If you spot early indicators of a targeted attack, consider managed protection services that will allow you to proactively detect advanced threats, reduce dwell time and arrange timely incident response.

 

For further details of 2018 Turla activity, read the blog on Securelist.

 

Private reports on the latest activity of the various Turla clusters are available to customers of Kaspersky Intelligence Reporting. Contact: intelreports@kaspersky.com

 


RECOMMENDED ARTICLE FOR TECHWORLD


 
Remote Access Nightmare: New Backdoors Increase More Than 40% in 2018
Techworld Date Posted: 11 December 2018 4:24 PM | 122 Views
Out of all the new malicious files detected in 2018, the amount that turned out to be backdoors rose by 44%, while the volume of ransomware increased by 43%.. See More
 
Remote Access Nightmare: New Backdoors Increase More Than 40% in 2018
Techworld Date Posted: 4:24 PM | 122 Views
Out of all the new malicious files detected in 2018, the amount that turned out to be backdoors rose by 44%, while the volume of ransomware increased by 43%.See More

 
HyperX Joins ESGS 2017 with Team Execration
Techworld Date Posted: 25 October 2017 10:38 AM | 410 Views
HyperX, the gaming division of Kingston Technology, today announced their presence at ESGS 2017 and all the fun activities to engage with the vast Filipino Gaming Community at SMX Convention Center from October 27th.... See More
 
HyperX Joins ESGS 2017 with Team Execration
Techworld Date Posted: 10:38 AM | 410 Views
HyperX, the gaming division of Kingston Technology, today announced their presence at ESGS 2017 and all the fun activities to engage with the vast Filipino Gaming Community at SMX Convention Center from October 27th...See More

 
KKR-Backed Emerald Media Leads US$65 Million Series B in aCommerce to Drive Southeast Asia’s Retail and Ecommerce Ecosystem Forward
Techworld Date Posted: 20 November 2017 1:46 PM | 243 Views
Manila, 20 November 2017 - aCommerce Co. Ltd. announced today that it has closed a US$65 million Series B funding round. The company is Southeast Asia’s leading ecommerce enabler and e-distributor in four markets.... See More
 
KKR-Backed Emerald Media Leads US$65 Million Series B in aCommerce to Drive Southeast Asia’s Retail and Ecommerce Ecosystem Forward
Techworld Date Posted: 1:46 PM | 243 Views
Manila, 20 November 2017 - aCommerce Co. Ltd. announced today that it has closed a US$65 million Series B funding round. The company is Southeast Asia’s leading ecommerce enabler and e-distributor in four markets...See More

 
Cyber-Spy Groups Are Moving towards Using Supply Chain Attacks and Legitimate Tools to Attack Financial Institutions, Warns Kaspersky Lab
Techworld Date Posted: 18 October 2017 1:15 PM | 275 Views
Yury Namestnikov of Kaspersky Lab's Global Research and Analysis Team (GReAT) in Russia discuss the tectonic shift of cyberespionage groups stealing not just data but also money of organizations in the Asia Pacific region. They.... See More
 
Cyber-Spy Groups Are Moving towards Using Supply Chain Attacks and Legitimate Tools to Attack Financial Institutions, Warns Kaspersky Lab
Techworld Date Posted: 1:15 PM | 275 Views
Yury Namestnikov of Kaspersky Lab's Global Research and Analysis Team (GReAT) in Russia discuss the tectonic shift of cyberespionage groups stealing not just data but also money of organizations in the Asia Pacific region. They...See More

 
Transcend Announces Its Participation in Davao International Marathon 2019 – Powered by Taiwan Excellence
Techworld Date Posted: 4 March 2019 3:53 PM | 42 Views
Transcend Information Inc., a leading manufacturer of storage and multimedia products, is proud to announce its participation in the Davao International Marathon 2019 (DIM 2019) – Powered by Taiwan Excellence. See More
 
Transcend Announces Its Participation in Davao International Marathon 2019 – Powered by Taiwan Excellence
Techworld Date Posted: 3:53 PM | 42 Views
Transcend Information Inc., a leading manufacturer of storage and multimedia products, is proud to announce its participation in the Davao International Marathon 2019 (DIM 2019) – Powered by Taiwan ExcellenceSee More

 
International Women’s Day Kaspersky Lab Aims to Close the Gender Gap in Cybersecurity
Techworld Date Posted: 8 March 2018 4:33 PM | 193 Views
In recent years, more and more women have climbed the corporate ladder to occupy important positions in the business world serving as role models for young girls.. See More
 
International Women’s Day Kaspersky Lab Aims to Close the Gender Gap in Cybersecurity
Techworld Date Posted: 4:33 PM | 193 Views
In recent years, more and more women have climbed the corporate ladder to occupy important positions in the business world serving as role models for young girls.See More

 
2018’s Malicious Crypto-Mining Fever Powered by Pirated Software and Content
Techworld Date Posted: 4 December 2018 2:43 PM | 108 Views
The global outbreak in malicious cryptocurrency mining that unfolded in 2018 saw the number of attacks increase by more than 83%, with over five million users attacked online in the first three quarters of.... See More
 
2018’s Malicious Crypto-Mining Fever Powered by Pirated Software and Content
Techworld Date Posted: 2:43 PM | 108 Views
The global outbreak in malicious cryptocurrency mining that unfolded in 2018 saw the number of attacks increase by more than 83%, with over five million users attacked online in the first three quarters of...See More

 
SAP Promotes Filipino Executive Edler Panlilio as Managing Director for SAP Philippines, Inc.
Techworld Date Posted: 17 October 2017 3:10 PM | 278 Views
SAP SE (NYSE: SAP) today announced the appointment of Edler Panlilio as the Managing Director for SAP Philippines, Inc. In this new role, Edler will be responsible for leading and driving business growth and.... See More
 
SAP Promotes Filipino Executive Edler Panlilio as Managing Director for SAP Philippines, Inc.
Techworld Date Posted: 3:10 PM | 278 Views
SAP SE (NYSE: SAP) today announced the appointment of Edler Panlilio as the Managing Director for SAP Philippines, Inc. In this new role, Edler will be responsible for leading and driving business growth and...See More

 
The ASEAN Foundation and SAP Extend Strategic Collaboration to Drive Positive Social Impact in the Digital Economy
Techworld Date Posted: 1 December 2017 4:00 PM | 298 Views
In the photo (L-R) His Excellency Vongthep Arthakaivalvatee, Deputy Secretary General of ASEAN for Socio-Cultural Community, Claus Andresen, President and Managing Director of SAP Southeast Asia, Elaine Tan, Executive Director of the ASEAN Foundation.... See More
 
The ASEAN Foundation and SAP Extend Strategic Collaboration to Drive Positive Social Impact in the Digital Economy
Techworld Date Posted: 4:00 PM | 298 Views
In the photo (L-R) His Excellency Vongthep Arthakaivalvatee, Deputy Secretary General of ASEAN for Socio-Cultural Community, Claus Andresen, President and Managing Director of SAP Southeast Asia, Elaine Tan, Executive Director of the ASEAN Foundation...See More

 
Concerns on the Rise about Mobile Apps Watching and Tracking Users, Finds Kaspersky Lab
Techworld Date Posted: 16 July 2018 4:28 PM | 424 Views
The monitoring capabilities of mobile apps are becoming a concern for users, many of whom are worried that the apps on their connected devices might be able track them down, watch what they’re doing,.... See More
 
Concerns on the Rise about Mobile Apps Watching and Tracking Users, Finds Kaspersky Lab
Techworld Date Posted: 4:28 PM | 424 Views
The monitoring capabilities of mobile apps are becoming a concern for users, many of whom are worried that the apps on their connected devices might be able track them down, watch what they’re doing,...See More


Power by

Download Free AZ | Free Wordpress Themes