Kaspersky Lab researchers monitoring the various clusters of the long standing, Russian-speaking threat actor, Turla (also known as Snake or Uroburos) have discovered that the most recent evolution of its KopiLuwak malware is delivered to victims using code nearly identical to that used just a month earlier by the Zebrocy operation, a subset of Sofacy (also known as Fancy Bear and APT28), another long standing Russia-speaking threat actor.

 

The researchers also found target overlap between the two threat actors, centered on geopolitical hotspots in central Asia and sensitive government and military entities.

 

The findings are included in an overview of the latest evolution and activity of four active clusters attributed to the Turla threat actor, published today by Kaspersky Lab’s Global Research and Analysis team.

 

KopiLuwak (the name derives from a rare type of coffee), was first discovered in November 2016, delivering documents containing malware and with macros enabled that dropped new, heavily obfuscated Javascript malware designed for system and network reconnaissance.

 

The most recent evolution of KopiLuwak was observed in mid-2018, when researchers noticed new targets in Syria and Afghanistan. Turla used a new spear-phishing delivery vector with Windows shortcut (.LNK) files.

 

Analysis showed that the LNK file contained PowerShell to decode and drop the KopiLuwak payload. This PowerShell was almost identical to that used in Zebrocy activity a month earlier.

 

The researchers also found some targeting overlap between the two threat actors, focused on sensitive political targets, including government research and security entities, diplomatic missions and military affairs, mainly in central Asia.

 

Other Turla malware clusters tracked by the researchers during 2018 include those known as Carbon and Mosquito.

 

In their overview, the researchers provide further evidence to support the hypothesis that Wi-Fi networks were abused by Turla to deliver Mosquito malware to victims, a practice that may be tapering off.

 

They also found further modification of the mature and powerful Carbon cyberespionage framework, which has traditionally been installed only very selectively on victims of particular interest, and expect to see further code modifications and selective deployment of this malware into 2019.

 

The 2018 targets for the Turla malware clusters include the Middle East and Northern Africa, as well as parts of Western and Eastern Europe, Central and South Asia, and the Americas.

 

“Turla is one of the oldest, most enduring and capable known threat actors, renowned for constantly shedding its skin and trying out new innovations and approaches. Our research into its main malware clusters during 2018 shows that it continues to regrow and experiment. However, it is worth noting that while other Russia-speaking threat actors like CozyDuke (APT29) and Sofacy were targeting organizations in the west, such as allegedly hacking the Democratic National Committee in 2016, Turla was quietly deploying its operations towards the east, where their activity and, more recently, even their delivery techniques began to overlap with Sofacy’s Zebrocy subset. Our research suggests Turla’s code development and implementation is ongoing, and organizations that believe they could be a target should prepare for this.” said Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab’s GReAT team.

 

Kaspersky Lab recommends that to reduce the risk of falling victim to advanced targeted attack operations, organizations may wish to consider the following actions:

  • Use a proven corporate grade security solution in combination with anti-targeted attack technologies and threat intelligence, like the Kaspersky Threat Management and Defense solution. These are capable of spotting and catching advanced targeted attacks by analyzing network anomalies, and give cybersecurity teams full visibility over the network and response automation.

 

  • Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack research and prevention, such as indicators of compromise (IOC), YARA and customized advanced threat reporting.

 

  • Make sure enterprise grade patch management processes are well established and double check all system configurations and implement best practices.

 

  • If you spot early indicators of a targeted attack, consider managed protection services that will allow you to proactively detect advanced threats, reduce dwell time and arrange timely incident response.

 

For further details of 2018 Turla activity, read the blog on Securelist.

 

Private reports on the latest activity of the various Turla clusters are available to customers of Kaspersky Intelligence Reporting. Contact: intelreports@kaspersky.com

 


RECOMMENDED ARTICLE FOR TECHWORLD


 
Philips Showcases Impressive Monitors at National Retail Conference
Techworld Date Posted: 25 August 2018 4:55 PM | 531 Views
Philips, a well-known brand for making high-performance and innovative display solutions for home and businesses, was at the recently concluded National Retail Conference (NRCE) Philippines that was held at SMX Convention Center, Pasay City,.... See More
 
Philips Showcases Impressive Monitors at National Retail Conference
Techworld Date Posted: 4:55 PM | 531 Views
Philips, a well-known brand for making high-performance and innovative display solutions for home and businesses, was at the recently concluded National Retail Conference (NRCE) Philippines that was held at SMX Convention Center, Pasay City,...See More

 
AKAMAI POSITIONED IN LEADERS QUADRANT OF GARTNER MAGIC QUADRANT FOR WEB APPLICATION FIREWALLS
Techworld Date Posted: 24 August 2017 10:38 AM | 202 Views
Akamai Technologies, Inc. (NASDAQ: AKAM), the world's largest and most trusted cloud delivery platform, today announced it has been acknowledged by Gartner, Inc. in the "Leaders" quadrant of the "Magic Quadrant for Web Application.... See More
 
AKAMAI POSITIONED IN LEADERS QUADRANT OF GARTNER MAGIC QUADRANT FOR WEB APPLICATION FIREWALLS
Techworld Date Posted: 10:38 AM | 202 Views
Akamai Technologies, Inc. (NASDAQ: AKAM), the world's largest and most trusted cloud delivery platform, today announced it has been acknowledged by Gartner, Inc. in the "Leaders" quadrant of the "Magic Quadrant for Web Application...See More

 
Q2 2017 Akamai state of the Internet Security Report Analyzes Re-emergence of PBOT Malware Domain Generation Algorithms Relationship Between Mirai Command and Control and Attack Targets
Techworld Date Posted: 29 August 2017 3:41 PM | 311 Views
Newly released data shows that distributed denial of service (DDoS) and web application attacks are on the rise once again, according to the Second Quarter, 2017 State of the Internet / Security Report released.... See More
 
Q2 2017 Akamai state of the Internet Security Report Analyzes Re-emergence of PBOT Malware Domain Generation Algorithms Relationship Between Mirai Command and Control and Attack Targets
Techworld Date Posted: 3:41 PM | 311 Views
Newly released data shows that distributed denial of service (DDoS) and web application attacks are on the rise once again, according to the Second Quarter, 2017 State of the Internet / Security Report released...See More

 
Victims of Malicious Crypto Miners Increase by 44% as 2.7 Million Internet Users Are Targeted in a Year
Techworld Date Posted: 10 July 2018 10:02 AM | 419 Views
The number of internet users that have been attacked by malicious crypto currency mining software has increased from 1.9 million to 2.7 million in just one year. Statistics for the last 24 months show.... See More
 
Victims of Malicious Crypto Miners Increase by 44% as 2.7 Million Internet Users Are Targeted in a Year
Techworld Date Posted: 10:02 AM | 419 Views
The number of internet users that have been attacked by malicious crypto currency mining software has increased from 1.9 million to 2.7 million in just one year. Statistics for the last 24 months show...See More

 
Are Data Breaches Stressing You Out?
Techworld Date Posted: 12 July 2018 1:11 PM | 323 Views
Common wisdom holds that the most stressful things a person might face in life are moving house, getting fired, or going through a divorce. In the grand scheme of things, stress caused by data.... See More
 
Are Data Breaches Stressing You Out?
Techworld Date Posted: 1:11 PM | 323 Views
Common wisdom holds that the most stressful things a person might face in life are moving house, getting fired, or going through a divorce. In the grand scheme of things, stress caused by data...See More

 
Kaspersky Lab Report on DDoS Attacks in Q1 2017: The Lull before the Storm
Techworld Date Posted: 27 May 2017 2:55 PM | 226 Views
The first quarter of 2017 has confirmed the forecasts about the evolution of DDoS attacks made by Kaspersky Lab experts following the 2016 results. It also demonstrates that cybercriminals need a rest too. Despite the.... See More
 
Kaspersky Lab Report on DDoS Attacks in Q1 2017: The Lull before the Storm
Techworld Date Posted: 2:55 PM | 226 Views
The first quarter of 2017 has confirmed the forecasts about the evolution of DDoS attacks made by Kaspersky Lab experts following the 2016 results. It also demonstrates that cybercriminals need a rest too. Despite the...See More

 
PLDT and Smart Ring in Christmas with ‘Holideals,’ Their Biggest Holiday Sale Yet
Techworld Date Posted: 16 November 2018 3:27 PM | 150 Views
Brace yourself as leading digital services provider PLDT Inc. and its mobile arm Smart Communications, Inc. are ushering in the Christmas season with the first ever ‘Holideals,’ their biggest holiday blow-out yet. See More
 
PLDT and Smart Ring in Christmas with ‘Holideals,’ Their Biggest Holiday Sale Yet
Techworld Date Posted: 3:27 PM | 150 Views
Brace yourself as leading digital services provider PLDT Inc. and its mobile arm Smart Communications, Inc. are ushering in the Christmas season with the first ever ‘Holideals,’ their biggest holiday blow-out yetSee More

 
Be Original, Buy Original
Techworld Date Posted: 12 July 2018 2:04 PM | 176 Views
In line with efforts to bring Nokia fans only the best mobile experience, HMD Global, the home of Nokia phones, warns consumers about counterfeit Nokia phones being sold in physical stores and online shops.. See More
 
Be Original, Buy Original
Techworld Date Posted: 2:04 PM | 176 Views
In line with efforts to bring Nokia fans only the best mobile experience, HMD Global, the home of Nokia phones, warns consumers about counterfeit Nokia phones being sold in physical stores and online shops.See More

 
New IoT-Malware Grew Three-Fold in H1 2018
Techworld Date Posted: 19 September 2018 3:04 PM | 147 Views
According to the Kaspersky Lab IoT report, in the first half of 2018, IoT devices were attacked with more than 120,000 modifications of malware. That’s more than triple the amount of IoT malware seen.... See More
 
New IoT-Malware Grew Three-Fold in H1 2018
Techworld Date Posted: 3:04 PM | 147 Views
According to the Kaspersky Lab IoT report, in the first half of 2018, IoT devices were attacked with more than 120,000 modifications of malware. That’s more than triple the amount of IoT malware seen...See More

Frank Emmanuel Trazo
Steam Greenlight: An End of a Chaotic Era
All About Gaming • By: Frank Emmanuel Trazo | Date Posted: 6 September 2017 9:34 AM | 339 Views
On June 6, 2017, Valve decided to discontinue Steam Greenlight. After suspending the submission of new games, they had more than 3400 games that were pending in Steam Greenlight. Some titles weren't granted approval.... See More
Frank Emmanuel Trazo
Steam Greenlight: An End of a Chaotic Era
All About Gaming • By: Frank Emmanuel Trazo | Date Posted: 9:34 AM | 339 Views
On June 6, 2017, Valve decided to discontinue Steam Greenlight. After suspending the submission of new games, they had more than 3400 games that were pending in Steam Greenlight. Some titles weren't granted approval...See More


Power by

Download Free AZ | Free Wordpress Themes