Can an old APT learn new tricks? Turla’s TTPs are largely unchanged, but the group recently added a Python backdoor.
ESET researchers found a watering hole (aka strategic web compromise) operation targeting several high-profile Armenian websites. It relies on a fake Adobe Flash update lure and delivers two previously undocumented pieces of malware we have dubbed NetFlash and PyFlash.
Various aspects of this campaign lead us to attribute this operation to Turla, an infamous espionage group active for more than ten years. Its main targets include governmental and military organizations. We have previously reported multiple campaigns of this group including Mosquito and LightNeuron.
This recent operation bears similarities to several of Turla’s watering hole campaigns that we have tracked in the past years. In particular, the modus operandi is similar to a campaign we uncovered in 2017. The various pieces of JavaScript used there are almost identical to those in this campaign, but the targets and payloads are different.
Targeted websites
In this specific operation, Turla has compromised at least four Armenian websites, including two belonging to the government. Thus, it is likely the targets include government officials and politicians.
According to ESET telemetry, the following websites were compromised:
armconsul[.]ru: The consular Section of the Embassy of Armenia in Russia
mnp.nkr[.]am: Ministry of Nature Protection and Natural Resources of the Republic of Artsakh
aiisa[.]am: The Armenian Institute of International and Security Affairs
adgf[.]am: The Armenian Deposit Guar ..
Support the originator by clicking the read the rest link below.
