Security vendor Bitdefender has linked the new Pacifier APT to the Turla Group. The Turla Group are alleged to be a state sponsored hacking group engaged in cyber espionage. It mainly targets governments and high-profile institutions in the US and Europe. According to Bitdefender they focus on data acquisition and cyber espionage.
This is the second time Bitdefender has looked at components in the Pacifier APT. It has now identified three new backdoor modules using what it calls: “innovate techniques to communicate with C&C servers.”
In its report, Bitdefender highlight seven key takeaways from its new research:
- New backdoor modules potentially developed by the Turla group
- Innovative Visual Basic Script backdoor that uses the browser’s (Internet Explorer) local storage mechanism to communicate with the C&C Server
- Communication with C&C triggered by user activity (IE launch), not automated by the malware
- Data exfiltration from non-internet connected victims and backdoor signed with digital certificate
- Ability to inject Firefox, Chrome, Browser, Opera and Safari browsers as well as Microsoft’s Internet Explorer to disguise C&C communication
- Customer deployment of open source tools for reconnaissance and data exfiltration
- Network Topography reconnaissance before deploying tools and malware
These takeaways are explained in detail in the PDF (no registration required). They throw up some serious and concerning data that show a significant threat which will inevitably be successful against a number of targets. The ability to target multiple browsers is a significant challenge for security teams. More worrying, however, is the fact that the group has a valid digital certificate for one of the backdoors.
The level of sophistication and planning of Pacifier attacks through the use of reconnaissance tools is also a major shift. This is not something to be taken lightly.
Three new backdoors
There are three new backdoor modules that raise the threat level significantly. They are:
Compromised air-gapped systems: The first backdoor targets systems that have no Internet access. As the researchers point out: “This is not the first time cybercriminals have specifically crafted malware for air-gapped systems.” Once installed Pacifier searches the local network for any computer with an Internet Connection. It then hard codes a link to that machine preventing any network chatter that would give it away. This backdoor component is signed with a digital certificate that the report says is probably stolen.
Too many security teams see air gapping as an absolute. However, keep in mind that the attack still requires a network and an Internet connected machine or device in order to work. As a result the compromised machine can be said to not be fully air gapped. That doesn’t negate the attack but suggests it can still be mitigated.
Covert communication with the C&C: This backdoor uses a Visual Basic script to hide its communication with the C&C server. It creates a new default page for Internet Explorer pointing to a valid website. Hidden on the page is a JavaScript which the then writes new instructions to the browser cache. This behaviour is not malicious and is ignored by local security software. The backdoor on the end-user device periodically checks for new instructions, executes them and send the results to the C&C server the next time IE is started.
Victim profiling using a JavaScript Backdoor: This backdoor is described by the report authors as a simpler than the VBScript above. It uses basic Windows commands to grab information and sends it to the C&C using HTTP. Once again it is believed to be non-standard enough to not be detected by security software.
What does this mean?
It is not yet clear exactly who is the intended victim of this attack. However, the fact that the Turla Group have invested so much time and effort makes it a dangerous attack with a high likelihood of success. It also demonstrates how innovative cybercriminals can be when it comes to defeating security software.
This latest set of attacks seem to be focused on Windows with one backdoor specifically written for IE. However, the Turla Group has in the past also targeted Linux systems. It will be interesting to see if they expand all three attacks to Linux as well as targeting other browsers.
The attacks are not just about gathering data. The report authors say: “We also found some other programs and tools for collecting data, including some freely available on the internet and probably uploaded by the attacker post-infection. These free tools enable memory dumping capabilities for 32-bit and 64-bit processes, such as Microsoft Outlook, intercept plain and encrypted browser traffic using man-in-the-middle techniques, or perform local network discovery, potentially to map networks and find other victims or valuable caches of information.”
IT security teams should pay close attention to this report. There is significant detail about how the attacks occur and what is affected on the local systems. It also provides a list of known Pacifier components and Indicators of Compromise. The latter includes a list of compromised websites on which the JavaScript for the second backdoor is hosted. While they are legitimate websites, unless they are required for business purposes they should be blacklisted.
