Analysis Summary

The APT group Turla is known by many names including Krypton, MAKERSMARK, Snake, Uroburosk, Venomous Bear, Waterbug, and WhiteBear, and is tracked by researchers. Turla is primarily known for its espionage activities. This time they're back with another malicious sample dropping malicious exe file samples to different users. Believed to be sponsored by the Russian FSB security service, Turla has been active since at least 2008 and while constantly evolving its toolkit, has also been turning its attention towards the infrastructure and resources of other APTs.

Impact

• Information Theft
• Cyber Espionage

Indicators of Compromise

Domain Name

• ies.inquirer.com.ph

MD5

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Conduct regular security awareness training to educate employees about phishing threats and safe email practices.
• Enable multi-factor authentication (MFA) to strengthen account security and prevent unauthorized access.
• Implement robust email filtering mechanisms to identify and block phishing emails, reducing the risk of malware delivery.
• Ensure timely updates and patches for all software, including Microsoft Exchange servers, to address known vulnerabilities.
• Segregate critical systems and sensitive data from the rest of the network through network segmentation to limit lateral movement.
• Deploy comprehensive endpoint protection solutions to detect and block malware and ransomware, safeguarding devices from compromise.
• Collaborate with cybersecurity organizations and law enforcement agencies to share threat intelligence and stay informed about emerging threats.
• Develop and regularly update an incident response plan to efficiently handle cyber attacks, reducing downtime and minimizing the impact of a breach.