Kaspersky Lab researchers monitoring the various clusters of the long standing, Russian-speaking threat actor, Turla (also known as Snake or Uroburos) have discovered that the most recent evolution of its KopiLuwak malware is delivered to victims using code nearly identical to that used just a month earlier by the Zebrocy operation, a subset of Sofacy (also known as Fancy Bear and APT28), another long standing Russia-speaking threat actor.

 

The researchers also found target overlap between the two threat actors, centered on geopolitical hotspots in central Asia and sensitive government and military entities.

 

The findings are included in an overview of the latest evolution and activity of four active clusters attributed to the Turla threat actor, published today by Kaspersky Lab’s Global Research and Analysis team.

 

KopiLuwak (the name derives from a rare type of coffee), was first discovered in November 2016, delivering documents containing malware and with macros enabled that dropped new, heavily obfuscated Javascript malware designed for system and network reconnaissance.

 

The most recent evolution of KopiLuwak was observed in mid-2018, when researchers noticed new targets in Syria and Afghanistan. Turla used a new spear-phishing delivery vector with Windows shortcut (.LNK) files.

 

Analysis showed that the LNK file contained PowerShell to decode and drop the KopiLuwak payload. This PowerShell was almost identical to that used in Zebrocy activity a month earlier.

 

The researchers also found some targeting overlap between the two threat actors, focused on sensitive political targets, including government research and security entities, diplomatic missions and military affairs, mainly in central Asia.

 

Other Turla malware clusters tracked by the researchers during 2018 include those known as Carbon and Mosquito.

 

In their overview, the researchers provide further evidence to support the hypothesis that Wi-Fi networks were abused by Turla to deliver Mosquito malware to victims, a practice that may be tapering off.

 

They also found further modification of the mature and powerful Carbon cyberespionage framework, which has traditionally been installed only very selectively on victims of particular interest, and expect to see further code modifications and selective deployment of this malware into 2019.

 

The 2018 targets for the Turla malware clusters include the Middle East and Northern Africa, as well as parts of Western and Eastern Europe, Central and South Asia, and the Americas.

 

“Turla is one of the oldest, most enduring and capable known threat actors, renowned for constantly shedding its skin and trying out new innovations and approaches. Our research into its main malware clusters during 2018 shows that it continues to regrow and experiment. However, it is worth noting that while other Russia-speaking threat actors like CozyDuke (APT29) and Sofacy were targeting organizations in the west, such as allegedly hacking the Democratic National Committee in 2016, Turla was quietly deploying its operations towards the east, where their activity and, more recently, even their delivery techniques began to overlap with Sofacy’s Zebrocy subset. Our research suggests Turla’s code development and implementation is ongoing, and organizations that believe they could be a target should prepare for this.” said Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab’s GReAT team.

 

Kaspersky Lab recommends that to reduce the risk of falling victim to advanced targeted attack operations, organizations may wish to consider the following actions:

  • Use a proven corporate grade security solution in combination with anti-targeted attack technologies and threat intelligence, like the Kaspersky Threat Management and Defense solution. These are capable of spotting and catching advanced targeted attacks by analyzing network anomalies, and give cybersecurity teams full visibility over the network and response automation.

 

  • Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack research and prevention, such as indicators of compromise (IOC), YARA and customized advanced threat reporting.

 

  • Make sure enterprise grade patch management processes are well established and double check all system configurations and implement best practices.

 

  • If you spot early indicators of a targeted attack, consider managed protection services that will allow you to proactively detect advanced threats, reduce dwell time and arrange timely incident response.

 

For further details of 2018 Turla activity, read the blog on Securelist.

 

Private reports on the latest activity of the various Turla clusters are available to customers of Kaspersky Intelligence Reporting. Contact: intelreports@kaspersky.com

 


RECOMMENDED ARTICLE FOR TECHWORLD


 
F5 Names Ben Gibson as Chief Marketing Officer
Techworld Date Posted: 4 August 2017 1:11 PM | 335 Views
Business leader with 25 years of experience at Veritas, Aruba Networks, and Cisco Systems to head global marketing team Philippines, August 4, 2016 — F5 Networks (NASDAQ: FFIV), the global leader in application networking and.... See More
 
F5 Names Ben Gibson as Chief Marketing Officer
Techworld Date Posted: 1:11 PM | 335 Views
Business leader with 25 years of experience at Veritas, Aruba Networks, and Cisco Systems to head global marketing team Philippines, August 4, 2016 — F5 Networks (NASDAQ: FFIV), the global leader in application networking and...See More

 
TajMahal: Rare Spying Platform with 80 Malicious Modules, Unique Functionality and No Known Links to Current Threat Actors
Techworld Date Posted: 27 April 2019 9:46 AM | 68 Views
Kaspersky Lab researchers have uncovered a technically sophisticated cyberespionage framework that has been active since at least 2013 and appears to be unconnected to any known threat actors. The framework, which researchers have named.... See More
 
TajMahal: Rare Spying Platform with 80 Malicious Modules, Unique Functionality and No Known Links to Current Threat Actors
Techworld Date Posted: 9:46 AM | 68 Views
Kaspersky Lab researchers have uncovered a technically sophisticated cyberespionage framework that has been active since at least 2013 and appears to be unconnected to any known threat actors. The framework, which researchers have named...See More

 
LIANLI PC-O11 Dynamic Designed by and Collaborated with Razer Is Now Available for Pre-Order
Techworld Date Posted: 2 March 2019 4:19 PM | 174 Views
LIANLI Industrial Co. Ltd., world’s leading manufacturer of aluminum chassis for enthusiasts, in partnership with Razer, the world’s leading lifestyle brand for gamers, is thrilled to announce that pre-orders for this special collaboration project.... See More
 
LIANLI PC-O11 Dynamic Designed by and Collaborated with Razer Is Now Available for Pre-Order
Techworld Date Posted: 4:19 PM | 174 Views
LIANLI Industrial Co. Ltd., world’s leading manufacturer of aluminum chassis for enthusiasts, in partnership with Razer, the world’s leading lifestyle brand for gamers, is thrilled to announce that pre-orders for this special collaboration project...See More

 
Lazada Hacks: 6 Ways to Save on Realme C1
Techworld Date Posted: 7 December 2018 8:59 AM | 361 Views
Christmas is just around the corner! Celebrate the festive season with a discounted treat from Realme’s #RealEntryLevelKing – Realme C1. Sharing with you some Lazada hacks to score Realme C1 even lower than the.... See More
 
Lazada Hacks: 6 Ways to Save on Realme C1
Techworld Date Posted: 8:59 AM | 361 Views
Christmas is just around the corner! Celebrate the festive season with a discounted treat from Realme’s #RealEntryLevelKing – Realme C1. Sharing with you some Lazada hacks to score Realme C1 even lower than the...See More

 
Stranger Danger A Third of Consumers Would Sell Their Private Data to Someone They Don’t Know
Techworld Date Posted: 24 April 2019 4:39 PM | 105 Views
Reckless data sharing online for short-term gains is leaving consumers exposed to more than they bargained for, according to new research from Kaspersky Lab1. Despite outrage and worry around high profile data sharing scandals,.... See More
 
Stranger Danger A Third of Consumers Would Sell Their Private Data to Someone They Don’t Know
Techworld Date Posted: 4:39 PM | 105 Views
Reckless data sharing online for short-term gains is leaving consumers exposed to more than they bargained for, according to new research from Kaspersky Lab1. Despite outrage and worry around high profile data sharing scandals,...See More

 
BenQ’s ZOWIE XL2411P Is the Chosen Monitor of PGI
Techworld Date Posted: 25 July 2018 4:12 PM | 351 Views
The XL2411P has been chosen as the tournament monitor of PGI. ZOWIE strives to provide e-Sports professionals and enthusiasts with the best equipment to suit their personal preference, allowing them to focus on nothing.... See More
 
BenQ’s ZOWIE XL2411P Is the Chosen Monitor of PGI
Techworld Date Posted: 4:12 PM | 351 Views
The XL2411P has been chosen as the tournament monitor of PGI. ZOWIE strives to provide e-Sports professionals and enthusiasts with the best equipment to suit their personal preference, allowing them to focus on nothing...See More

 
Kaspersky Lab’s Statement on NotPetya Ransomware Attacks Reported 27 June
Techworld Date Posted: 4 July 2017 2:50 PM | 332 Views
Kaspersky Lab’s analysts are investigating the new wave of ransomware attacks targeting organizations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a.... See More
 
Kaspersky Lab’s Statement on NotPetya Ransomware Attacks Reported 27 June
Techworld Date Posted: 2:50 PM | 332 Views
Kaspersky Lab’s analysts are investigating the new wave of ransomware attacks targeting organizations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a...See More

 
Move Your SSD into the Fast Lane – CORSAIR Launches the Neutron NX500 NVMe PCIe SSD AIC
Techworld Date Posted: 11 August 2017 2:17 PM | 313 Views
  components, today announced the launch of the CORSAIR Neutron NX500 NVMe PCIe SSD AIC. The NX500 boasts performance up to five times faster than traditional SATA 3.0 SSDs, connecting to your system via.... See More
 
Move Your SSD into the Fast Lane – CORSAIR Launches the Neutron NX500 NVMe PCIe SSD AIC
Techworld Date Posted: 2:17 PM | 313 Views
  components, today announced the launch of the CORSAIR Neutron NX500 NVMe PCIe SSD AIC. The NX500 boasts performance up to five times faster than traditional SATA 3.0 SSDs, connecting to your system via...See More

 
The Numerical Pad: Why so Special
Techworld Date Posted: 31 July 2017 9:32 AM | 272 Views
The numerical pad (which from now on we will call the "numpad") might just seem pretty useful to call center agents, cashiers, and telecomm operators. In computers, we already have numbers above our letter.... See More
 
The Numerical Pad: Why so Special
Techworld Date Posted: 9:32 AM | 272 Views
The numerical pad (which from now on we will call the "numpad") might just seem pretty useful to call center agents, cashiers, and telecomm operators. In computers, we already have numbers above our letter...See More

 
Sowbug: Cyber Espionage Group Targets South American and Southeast Asian Governments
Techworld Date Posted: 10 November 2017 11:03 AM | 359 Views
Symantec has identified a previously unknown group called Sowbug that has been conducting highly targeted cyber attacks against organizations in South America and Southeast . See More
 
Sowbug: Cyber Espionage Group Targets South American and Southeast Asian Governments
Techworld Date Posted: 11:03 AM | 359 Views
Symantec has identified a previously unknown group called Sowbug that has been conducting highly targeted cyber attacks against organizations in South America and Southeast See More


Power by

Download Free AZ | Free Wordpress Themes