Analysis Summary

A Russia-backed advanced persistent threat (APT) group identified as Turla has launched a sophisticated cyber-espionage campaign targeting individuals and entities in the Philippines.

This campaign uses socially engineered emails containing malicious documents that lure victims under the guise of human rights seminars or public advisories. The ultimate goal is to deliver the TinyTurla backdoor, a fileless malware, into victims' systems for remote command execution and data exfiltration.

Researchers uncovered that the attackers leverage PDF and MSBuild project files within .LNK files to seamlessly execute the malicious payload. The attackers impersonate legitimate authorities to make their emails more convincing, tricking recipients into opening the attachments. When the .LNK file is executed it triggers a PowerShell script that reads and writes various files including a lure PDF, encrypted data, and a custom MSBuild project, all stored in the %temp% directory.

The MSBuild project file decrypts the encrypted data and executes it as a new MSBuild project. This process facilitates the delivery of the TinyTurla backdoor without leaving any traditional malware files on the disk, thus enhancing its stealth capabilities. TinyTurla can execute a range of commands received from a command-and-control (C2) server including uploading and downloading files and adjusting sleep intervals to avoid detection.

The sophistication of this campaign lies in its use of legitimate tools like MSBuild and PowerShell for malicious purposes, making it difficult to detect. Turla has a history of targeting NGOs, particularly those connected to Ukraine and this campaign aligns with their typical tactics including using compromised web servers for C2 infrastructure and deploying PHP-based C2s within specific directories.

Defenders can mitigate such threats by implementing strong email-filtering systems to block malicious attachments and by educating employees to be cautious with unsolicited emails. Restricting the use of tools like MSBuild to authorized personnel and disabling unnecessary scripting languages like PowerShell on user workstations can also reduce the risk of such sophisticated attacks.

Impact

• Cyber Espionage
• Unauthorized Access
• Command Execution
• Data Exfiltration

Indicators of Compromise

MD5

• e93d4658871b5312b1c8a86ab216a1fb
• 56b7cf428e82bf0ba7f0020d23f21fff
• 9584cc33feca5f5800e46e0e7edcf783
• 1c024b92f8e164e031fe5e4fff77ea61
• 005c762a3c39b1114c6521f52acb66c3

SHA-256

• b4db8e598741193ea9e04c2111d0c15ba79b2fa098efc3680a63ef457e60dbd9
• 6829ab9c4c8a9a0212740f46bf93b1cbe5d4256fb4ff66d65a3a6eb6c55758a1
• 8c97df4ca1a5995e22c2c4887bea2945269d6f5f158def98d5ebdd5311bb20c4
• c2618fb013135485f9f9aa27983df3371dfdcb7beecde86d02cee0c258d5ed7f
• cac4d4364d20fa343bf681f6544b31995a57d8f69ee606c4675db60be5ae8775

SHA1

• 13b29342593386fb378cde16b0674cf0ff9ff220
• 4d01a646b152d203addb539bb51286cc840acc0e
• 1fa3bd579776c2723f2cb65af50983544cfe2daa
• 3b1adffb8605760af23c3b480825e02ceaf836d6
• 19d576e1a7c0c7e6dae6dce79743db5f2defa79f

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Conduct regular security awareness training to educate employees about phishing threats and safe email practices.
• Enable multi-factor authentication (MFA) to strengthen account security and prevent unauthorized access.
• Implement robust email filtering mechanisms to identify and block phishing emails, reducing the risk of malware delivery.
• Ensure timely updates and patches for all software, including Microsoft Exchange servers, to address known vulnerabilities.
• Segregate critical systems and sensitive data from the rest of the network through network segmentation to limit lateral movement.
• Deploy comprehensive endpoint protection solutions to detect and block malware and ransomware, safeguarding devices from compromise.
• Collaborate with cybersecurity organizations and law enforcement agencies to share threat intelligence and stay informed about emerging threats.
• Develop and regularly update an incident response plan to efficiently handle cyber attacks, reducing downtime and minimizing the impact of a breach.