Welcome!

IoT User Interface Authors: Elizabeth White, Liz McMillan, AppDynamics Blog, Yakov Fain, Jason Bloomberg

News Feed Item

The Epic Snake: Unraveling the mysteries of the Turla cyber-espionage campaign

Turla, also known as Snake or Uroburos is one of the most sophisticated ongoing cyber-espionage campaigns. When the first research on Turla/Snake/Uroburos was published, it didn’t answer one major question: how do victims get infected?

The latest Kaspersky Lab research on this operation reveals that Epic is the initial stage of the Turla victim infection mechanism.

Turla big picture:

  • Epic Turla / Tavdig: The early-stage infection mechanism.
  • Cobra Carbon system/ Pfinet (+others): Intermediary upgrades and communication plugins.
  • Snake / Uroburos: High-grade malware platform that includes a rootkit and virtual file systems.

Victims:

The “Epic” project has been used since at least 2012, with the highest volume of activity observed in January-February 2014. Most recently, Kaspersky Lab detected this attack against one of its users on August 5, 2014.

Targets of “Epic” belong to the following categories: government entities (Ministry of Interior, Ministry of Trade and Commerce, Ministry of Foreign/External affairs, intelligence agencies), embassies, military, research and education organizations and pharmaceutical companies.

Most of the victims are located in the Middle East and Europe, however, we observed victims in other regions as well, including in the USA. In total, Kaspersky Lab experts counted several hundred victim IPs distributed in more than 45 countries, with France at the top of the list.

The attack. The Kaspersky Lab’s researchers discovered that the Epic Turla attackers use zero-day exploits, social engineering and watering hole techniques attacks to infect victims.

In the past, they used at least two zero-day exploits: one for Escalation of Privileges (EoP) in Windows XP and Windows Server 2003 (CVE-2013-5065) which allows the Epic backdoor to achieve administrator privileges on the system and run unrestricted; and an exploit in Adobe Reader (CVE-2013-3346) that is used in malicious e-mail attachments.

Whenever an unsuspecting user opens a maliciously-crafted PDF file on a vulnerable system, the machine will automatically get infected, allowing the attacker to gain immediate and full control over the target system.

The attackers use both direct spear-phishing e-mails and watering hole attacks to infect victims. The attacks detected in this operation fall into several different categories depending on the initial infection vector used in compromising the victim:

● Spear-phishing e-mails with Adobe PDF exploits (CVE-2013-3346 + CVE-2013-5065)

● Social engineering to trick the user into running malware installers with “.SCR” extension, sometimes packed with RAR

● Watering hole attacks using Java exploits (CVE-2012-1723), Adobe Flash exploits (unknown) or Internet Explorer 6, 7, 8 exploits (unknown)

● Watering hole attacks that rely on social engineering to trick the user into running fake “Flash Player” malware installers

Watering holes are websites commonly visited by potential victims. These websites are compromised in advance by the attackers and injected to serve malicious code. Depending on the visitor’s IP address (for instance, a government organization’s IP), the attackers serve Java or browser exploits, signed fake Adobe Flash Player software or a fake version of Microsoft Security Essentials. In total, we have observed more than 100 injected websites. The choice of the websites reflects specific interest of attackers. For example, many of infected Spanish websites belong to local governments.

Once the user is infected, the Epic backdoor immediately connects to the command-and-control (C&C) server to send a pack with the victim’s system information. The backdoor is also known as “WorldCupSec”, “TadjMakhal”, “Wipbot” or “Tadvig”.

Once a system is compromised, the attackers receive brief summary information from the victim, and based on that, they deliver pre-configured batch files containing a series of commands for execution. In addition to these, the attackers upload custom lateral movement tools. These include a specific keylogger tool, a RAR archiver and standard utilities like a DNS query tool from Microsoft.

Turla’s first stage:

During the analysis, Kaspersky Lab researchers observed the attackers using the Epic malware to deploy a more sophisticated backdoor known as the “Cobra/Carbon system”, also named “Pfinet” by some anti-virus products. After some time, the attackers went further and used the Epic implant to update the “Carbon” configuration file with a different set of C&C servers. The unique knowledge to operate these two backdoors indicates a clear and direct connection between each other.

“The configuration updates for the ‘Carbon system’ malware are interesting, because this is another project from the Turla actor. This indicates that we are dealing with a multi-stage infection that begins with Epic Turla. The Epic Turla is used to gain a foothold and validate the high profile victim. If the victim is interesting, it gets upgraded to the full Turla Carbon system” explains Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab.

Language usage:

The attackers behind Turla are clearly not native English speakers. They commonly misspell words and expressions, such as:

  • Password it’s wrong!
  • File is not exists
  • File is exists for edit

There are other indications which provide a hint at the origin of the attackers. For instance, some of the backdoors have been compiled on a system with Russian language. Additionally, the internal name of one of the Epic backdoors is "Zagruzchik.dll", which means "bootloader" or "load program" in Russian.

Finally, the Epic mothership control panel sets the code page to 1251, which is used for Cyrillic characters.

Links with other threat actors:

Interestingly, possible connections with different cyber-espionage campaigns have been observed. In February 2014, Kaspersky Lab experts observed that the threat actor known as Miniduke were using the same web-shells to manage infected web servers as the Epic team did.

To learn more about the “Epic Turla” operation, please read the blog post available at Securelist.com.

About Kaspersky Lab

Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.

* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report "Worldwide Endpoint Security 2013–2017 Forecast and 2012 Vendor Shares (IDC #242618, August 2013). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2012.

For the latest in-depth information on security threat issues and trends, please visit:

Securelist | Information about Viruses, Hackers and Spam

Follow @Securelist on Twitter

Threatpost | The First Stop for Security News

Follow @Threatpost on Twitter

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

@CloudExpo Stories
Companies can harness IoT and predictive analytics to sustain business continuity; predict and manage site performance during emergencies; minimize expensive reactive maintenance; and forecast equipment and maintenance budgets and expenditures. Providing cost-effective, uninterrupted service is challenging, particularly for organizations with geographically dispersed operations.
SYS-CON Events announced today that BMC Software has been named "Siver Sponsor" of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2015 at the Javits Center in New York, New York. BMC is a global leader in innovative software solutions that help businesses transform into digital enterprises for the ultimate competitive advantage. BMC Digital Enterprise Management is a set of innovative IT solutions designed to make digital business fast, seamless, and optimized from mainframe to mo...
SoftLayer operates a global cloud infrastructure platform built for Internet scale. With a global footprint of data centers and network points of presence, SoftLayer provides infrastructure as a service to leading-edge customers ranging from Web startups to global enterprises. SoftLayer's modular architecture, full-featured API, and sophisticated automation provide unparalleled performance and control. Its flexible unified platform seamlessly spans physical and virtual devices linked via a world...
The IoT is changing the way enterprises conduct business. In his session at @ThingsExpo, Eric Hoffman, Vice President at EastBanc Technologies, discuss how businesses can gain an edge over competitors by empowering consumers to take control through IoT. We'll cite examples such as a Washington, D.C.-based sports club that leveraged IoT and the cloud to develop a comprehensive booking system. He'll also highlight how IoT can revitalize and restore outdated business models, making them profitable...
SYS-CON Events announced today the Docker Meets Kubernetes – Intro into the Kubernetes World, being held June 9, 2016, in conjunction with 18th Cloud Expo | @ThingsExpo, at the Javits Center in New York, NY. Register for 'Docker Meets Kubernetes Workshop' Here! This workshop led by Sebastian Scheele, co-founder of Loodse, introduces participants to Kubernetes (container orchestration). Through a combination of instructor-led presentations, demonstrations, and hands-on labs, participants learn ...
As organizations shift towards IT-as-a-service models, the need for managing and protecting data residing across physical, virtual, and now cloud environments grows with it. Commvault can ensure protection, access and E-Discovery of your data – whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise. In his general session at 18th Cloud Expo, Randy De Meno, Chief Technologist - Windows Products and Microsoft Part...
The cloud market growth today is largely in public clouds. While there is a lot of spend in IT departments in virtualization, these aren’t yet translating into a true “cloud” experience within the enterprise. What is stopping the growth of the “private cloud” market? In his general session at 18th Cloud Expo, Nara Rajagopalan, CEO of Accelerite, will explore the challenges in deploying, managing, and getting adoption for a private cloud within an enterprise. What are the key differences betwee...
IoT generates lots of temporal data. But how do you unlock its value? How do you coordinate the diverse moving parts that must come together when developing your IoT product? What are the key challenges addressed by Data as a Service? How does cloud computing underlie and connect the notions of Digital and DevOps What is the impact of the API economy? What is the business imperative for Cognitive Computing? Get all these questions and hundreds more like them answered at the 18th Cloud Expo...
SYS-CON Events announced today that EastBanc Technologies will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. EastBanc Technologies has been working at the frontier of technology since 1999. Today, the firm provides full-lifecycle software development delivering flexible technology solutions that seamlessly integrate with existing systems – whether on premise or cloud. EastBanc Technologies partners with p...
In his session at 18th Cloud Expo, Andrew Cole, Director of Solutions Engineering at Peak 10, will discuss how the newest technology advances are reducing the cost and complexity of traditional business continuity and disaster recovery solutions. Attendees will: Learn why having a full disaster recovery strategy is more important now than ever before Explore the key drivers of a successful disaster recovery solution Achieve measurable operational and business value from a disaster recovery ...
SYS-CON Events announced today that Commvault, a global leader in enterprise data protection and information management, has been named “Bronze Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY, and the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Commvault is a leading provider of data protection and information management...
SYS-CON Events announced today that Tintri Inc., a leading producer of VM-aware storage (VAS) for virtualization and cloud environments, will exhibit at the 18th International CloudExpo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, New York, and the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that Hanu Software will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Leveraging best-in-class people, processes, and technologies, Hanu provides high-quality, high-value software development and business process outsourcing services to independent software vendors (ISVs) and enterprises.
SYS-CON Events announced today Object Management Group® has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY, and the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
In his session at 18th Cloud Expo, Bruce Swann, Senior Product Marketing Manager at Adobe, will discuss how the Adobe Marketing Cloud can help marketers embrace opportunities for personalized, relevant and real-time customer engagement across offline (direct mail, point of sale, call center) and digital (email, website, SMS, mobile apps, social networks, connected objects). Bruce Swann has more than 15 years of experience working with digital marketing disciplines like web analytics, social med...
The initial debate is over: Any enterprise with a serious commitment to IT is migrating to the cloud. But things are not so simple. There is a complex mix of on-premises, colocated, and public-cloud deployments. In this power panel at 18th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists will look at the present state of cloud from the C-level view, and how great companies and rock star executives can use cloud computing to meet their most ambitious and disruptive business ...
The cloud era has reached the stage where it is no longer a question of whether a company should migrate, but when. Enterprises have embraced the outsourcing of where their various applications are stored and who manages them, saving significant investment along the way. Plus, the cloud has become a defining competitive edge. Companies that fail to successfully adapt risk failure. The media, of course, continues to extol the virtues of the cloud, including how easy it is to get there. Migrating...
SYS-CON Events announced today that ContentMX, the marketing technology and services company with a singular mission to increase engagement and drive more conversations for enterprise, channel and SMB technology marketers, has been named “Sponsor & Exhibitor Lounge Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York City, New York. “CloudExpo is a great opportunity to start a conversation with new prospects, but what happens after the...
SYS-CON Events announced today that Isomorphic Software will exhibit at SYS-CON's [email protected] at Cloud Expo New York, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Isomorphic Software provides the SmartClient HTML5/AJAX platform, the most advanced technology for building rich, high-productivity enterprise web applications for any device. SmartClient couples the industry’s broadest, deepest UI component set with a java server framework to deliver an end-...
The IoTs will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform. In his session at @ThingsExpo, Craig Sproule, CEO of Metavine, will demonstrate how to move beyond today's coding paradigm and share the must-have mindsets for removing complexity from the development proc...