September 25, 2018 By David Bisson 2 min read

Researchers determined that the victims of a backdoor developed by the advanced persistent threat (APT) group Turla are more numerous than originally expected.

The threat group recently employed the backdoor to access the foreign offices of two European countries and a major defense contractor, according to Slovakian IT security company ESET. Those victims received less publicity than Germany’s Federal Foreign Office, which the group breached after compromising the network of the country’s Federal College of Public Administration.

The most recent versions of Turla’s invention went after targets’ inboxes by subverting Microsoft Office’s Messaging Application Programming Interface (MAPI). They were fully controllable by email and didn’t rely on a conventional command-and-control (C&C) server. Instead, the backdoors used specially crafted PDF files in email attachments to fulfill a series of commands such as data exfiltration. The most recent variant from April 2018 was also capable of executing PowerShell commands by leveraging Empire PSInject.

Turla’s Threat Innovation Continues

In 2017, ESET observed Turla leveraging another backdoor called Gazer to target embassies and government organizations around the world. A year later, researchers found evidence that the threat group was bundling the backdoors with a legitimate Adobe Flash Player installer and using URLs and IP addresses that appeared identical to Adobe’s actual infrastructure.

Given ESET’s most recent findings, Turla is showing no signs of slowing down its efforts to spy on promising targets and secretly infect networks with malware for as long as possible.

How to Block an Email-Borne Backdoor

To defend against this and other backdoor threats, security teams should monitor for the indicators of compromise (IoCs) listed in the IBM X-Force Exchange threat advisory. Security experts also recommend following the National Institute of Standards and Technology’s (NIST) cybersecurity framework and conducting security awareness training to educate employees about email-based threats.

Sources: ESET, ESET(1), ESET(2)

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today