Experts Uncover ‘Crutch’ Russian Malware Used in APT Attacks for 5 Years

Cybersecurity researchers today took the wraps off a previously undocumented backdoor and document stealer that has been deployed against specific targets from 2015 to early 2020.

Codenamed “Crutch” by ESET researchers, the malware has been attributed to Turla (aka Venomous Bear or Snake), a Russia-based advanced hacker group known for its extensive attacks against governments, embassies, and military organizations through various watering hole and spear-phishing campaigns.

“These tools were designed to exfiltrate sensitive documents and other files to Dropbox accounts controlled by Turla operators,” the cybersecurity firm said in an analysis shared with The Hacker News.

The backdoor implants were secretly installed on several machines belonging to the Ministry of Foreign Affairs in an unnamed country of the European Union.

Besides identifying strong links between a Crutch sample from 2016 and Turla’s yet another second-stage backdoor called Gazer, the latest malware in their diverse toolset points to the group’s continued focus on espionage and reconnaissance against high-profile targets.

Crutch is delivered either via the Skipper suite, a first-stage implant previously attributed to Turla, or a post-exploitation agent called PowerShell Empire, with two different versions of the malware spotted before and after mid-2019.

While the former included a backdoor that communicates with a hardcoded Dropbox account using the official HTTP API to receive commands and upload the results, the newer variant (“Crutch v4”) eschews the setup for a new feature that can automatically upload the files found on local and removable drives to Dropbox by using the Windows Wget utility.

“The sophistication of the attacks and technical details of the discovery further strengthen the perception that the Turla group has considerable resources to operate such a large and diverse arsenal,” said ESET researcher Matthieu Faou.

“Furthermore, Crutch is able to bypass some security layers by abusing legitimate infrastructure — here, Dropbox – in order to blend into normal network traffic while exfiltrating stolen documents and receiving commands from its operators.”

Cyber Security

Articles You May Like

India Smartwatch Shipments Grew 121 Percent YoY in Q1 2023, Fire-Boltt Now in Second Place Globally: Counterpoint
Apple Watch Owners Complain of Screen Tint Issue After watchOS 9.5 Update
Snapchat Reaches Over 200 Million Monthly Active Users in India; Launches My AI Chatbot
Lenovo Tab M9 With 9-Inch Display, 5,100mAh Battery, Dolby Atmos Launched in India: Price, Specifications
Indonesian Cybercriminals Exploit AWS for Profitable Crypto Mining Operations

Leave a Reply

Your email address will not be published. Required fields are marked *