Welcome!

Java IoT Authors: Yeshim Deniz, Pat Romanski, Zakia Bouachraoui, Liz McMillan, Elizabeth White

News Feed Item

The Epic Snake: Unraveling the Mysteries of the Turla Cyber-espionage Campaign

LONDON, August 11, 2014 /PRNewswire/ --

The "Epic" operation serves as the first phase in a multi-stage infection of the Turla campaign 

Turla, also known as Snake or Uroburos is one of the most sophisticated ongoing cyber-espionage campaigns. When the first research on Turla/Snake/Uroburos was published, it didn't answer one major question: how do victims become infected?

The latest Kaspersky Lab research on this operation reveals that Epic is the initial stage of the Turla victim infection mechanism.

Turla big picture: 

  • Epic Turla / Tavdig:  The early-stage infection mechanism.
  • Cobra Carbon system/ Pfinet (+others): Intermediary upgrades and communication plugins.
  • Snake / Uroburos:  High-grade malware platform that includes a rootkit and virtual file systems.

Victims 

The "Epic" project has been used since at least 2012, with the highest volume of activity observed in January-February 2014.  Most recently, Kaspersky Lab detected this attack against one of its users on August 5, 2014.

Targets of "Epic" belong to the following categories: government entities (Ministry of Interior, Ministry of Trade and Commerce, Ministry of Foreign/External affairs, intelligence agencies), embassies, military, research and education organisations and pharmaceutical companies.

Most of the victims are located in the Middle East and Europe, however, we observed victims in other regions, including in the USA. In total, Kaspersky Lab experts counted several hundred victim IPs distributed in more than 45 countries, with France at the top of the list.

Distribution of the top 20 affected countries by victim IP 

The attack 

Kaspersky Lab researchers discovered that the Epic Turla attackers use zero-day exploits, social engineering and watering hole technique attacks to infect victims.

In the past, they used at least two zero-day exploits: one for Escalation of Privileges (EoP) in Windows XP and Windows Server 2003 (CVE-2013-5065.) which allows the Epic backdoor to achieve administrator privileges on the system and run unrestricted; and an exploit in Adobe Reader (CVE-2013-3346) that is used in malicious e-mail attachments.

Whenever an unsuspecting user opens a maliciously-crafted PDF file on a vulnerable system, the machine will automatically become infected, allowing the attacker to gain immediate and full control over the target system.

The attackers use both direct spear-phishing e-mails and watering hole attacks to infect victims. The attacks detected in this operation fall into several different categories depending on the initial infection vector used in compromising the victim:

●    Spear-phishing e-mails with Adobe PDF exploits (CVE-2013-3346 + CVE-2013-5065.)

●    Social engineering to trick the user into running malware installers with ".SCR" extension, sometimes packed with RAR

●    Watering hole attacks using Java exploits (CVE-2012-1723), Adobe Flash exploits (unknown) or Internet Explorer 6, 7, 8 exploits (unknown)

●    Watering hole attacks that rely on social engineering to trick the user into running fake "Flash Player" malware installers

Watering holes are websites commonly visited by potential victims. These websites are compromised in advance by the attackers and are injected to serve malicious code. Depending on the visitor's IP address (for instance, a government organisation's IP), the attackers serve Java or browser exploits, signed fake Adobe Flash Player software or a fake version of Microsoft Security Essentials. In total, we have observed more than 100 injected websites. The choice of the websites reflects specific interest of attackers. For example, many of the infected Spanish websites belong to local governments.

Once the user is infected, the Epic backdoor immediately connects to the command-and-control (C&C) server to send a pack with the victim's system information. The backdoor is also known as "WorldCupSec", "TadjMakhal", "Wipbot" or "Tadvig".

Once a system is compromised, the attackers receive a brief summary of information from the victim, and based on that, they deliver pre-configured batch files containing a series of commands for execution. In addition to these, the attackers upload custom lateral movement tools. These include a specific keylogger tool, a RAR archiver and standard utilities like a DNS query tool from Microsoft.

Turla's first stage: 

During the analysis, Kaspersky Lab researchers observed the attackers using the Epic malware to deploy a more sophisticated backdoor known as the "Cobra/Carbon system", also named "Pfinet" by some anti-virus products. After some time, the attackers went further and used the Epic implant to update the "Carbon" configuration file with a different set of C&C servers. The unique knowledge to operate these two backdoors indicates a clear and direct connection between each other.

"The configuration updates for the 'Carbon system' malware are interesting, because this is another project from the Turla actor. This indicates that we are dealing with a multi-stage infection that begins with Epic Turla. The Epic Turla is used to gain a foothold and validate the high profile victim. If the victim is interesting, it gets upgraded to the full Turla Carbon system" explains Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab.

Language usage: 

The attackers behind Turla are clearly not native English speakers. They commonly misspell words and expressions, such as:

  • Password it´s wrong! 
  • File is not exists 
  • File is exists for edit 

There are other indications which provide a hint at the origin of the attackers. For instance, some of the backdoors have been compiled on a system with Russian language. Additionally, the internal name of one of the Epic backdoors is "Zagruzchik.dll", which means "bootloader" or "load program" in Russian.

Finally, the Epic mothership control panel sets the code page to 1251, which is used for Cyrillic characters.

Links with other threat actors: 

Interestingly, possible connections with different cyber-espionage campaigns have been observed. In February 2014, Kaspersky Lab experts observed that the threat actor known as Miniduke were using the same web-shells to manage infected web servers as the Epic team did.

To learn more about the "Epic Turla" operation, please read the blog post available at Securelist.com. 

About Kaspersky Lab 

Kaspersky Lab is the world's largest privately held vendor of endpoint protection solutions. The company is ranked among the world's top four vendors of security solutions for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at http://www.kaspersky.com.

* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report "Worldwide Endpoint Security 2013-2017 Forecast and 2012 Vendor Shares (IDC #242618, August 2013). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2012. 

Editorial contact: 

Berkeley PR
Lauren White
[email protected]
Telephone: +44-(0)118-909-0909
1650 Arlington Business Park
RG7 4SA, Reading

Kaspersky Lab UK
Ruth Knowles
[email protected]
Telephone: +44-(0)7590-440-433
2 Kingdom Street
W2 6BD, London

SOURCE Kaspersky Lab

More Stories By PR Newswire

Copyright © 2007 PR Newswire. All rights reserved. Republication or redistribution of PRNewswire content is expressly prohibited without the prior written consent of PRNewswire. PRNewswire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

IoT & Smart Cities Stories
Early Bird Registration Discount Expires on August 31, 2018 Conference Registration Link ▸ HERE. Pick from all 200 sessions in all 10 tracks, plus 22 Keynotes & General Sessions! Lunch is served two days. EXPIRES AUGUST 31, 2018. Ticket prices: ($1,295-Aug 31) ($1,495-Oct 31) ($1,995-Nov 12) ($2,500-Walk-in)
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
Machine learning has taken residence at our cities' cores and now we can finally have "smart cities." Cities are a collection of buildings made to provide the structure and safety necessary for people to function, create and survive. Buildings are a pool of ever-changing performance data from large automated systems such as heating and cooling to the people that live and work within them. Through machine learning, buildings can optimize performance, reduce costs, and improve occupant comfort by ...
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...