Russia-Based Turla APT Group's Infrastructure, Activity Traceable

Russia-Based Turla APT Group's Infrastructure, Activity Traceable
Threat actor's practice of using known malware and tactics gives an opening for defenders, says Recorded Future.

The activities of Turla Group, a stealthy Russia-based threat actor associated with numerous attacks on government, diplomatic, technology, and research organizations, may be trackable because of the group's penchant to use older malware and techniques alongside its arsenal of newer custom tools.


Researchers at Recorded Future recently came to that conclusion after conducting an in-depth analysis of Turla's activities using data from its threat intelligence platform and several other sources, including open source intelligence. The vendor's goal was to see whether it could develop methods — including scanning rules and indicators — for identifying Turla malware and infrastructure.


Recorded Future's analysis showed Turla (aka Snake and Venomous Bear) to be a group that is continuing to develop its own advanced custom malware tools and adopting new attack and obfuscation methods all the time. In 2019, the group began ramping up its use of PowerShell scripts via PowerSploit and PowerShell Empire. It also developed a custom PowerShell backdoor dubbed PowerStallion, all in an apparent effort to make discovery harder for defenders.


However Recorded Future also found that in several lengthy campaigns, Turla had a pattern of using older malware and methods that researchers had previously identified as being used by the threat actor. This habit gives defenders an opening to proactively track and identify Turla’s infrastructure and activities, Recorded Future said.


"Turla is a bit unusual in continuing to use old, well-known malware that they have laying about," says John TerBush, senior threat intelligence researcher at Recorded Future's Insikt Group. There are a handful of other examples of continued use of older malware, such as Winnti and Pl ..

Support the originator by clicking the read the rest link below.