Turla Sets Aim on Collect Data from Defense Industries

Category: Threat Actor Activity | Industry: Defense | Sources: Microsoft & CERT-UA

In a collaborative effort, Ukraine CERT-UA and Microsoft have identified an active cyber campaign launched by the Russian threat group Turla (also known as Secret Blizzard, KRYPTON, and UAC-0003). The campaign's primary objective is to gather sensitive data from defense organizations in Ukraine and Eastern Europe using spyware tracked as Capibar (aka. "DeliveryCheck" by Microsoft, "GAMEDAY" by Mandiant) and Kazuar. According to Microsoft, the "threat actor specifically aims to exfiltrate files containing messages from the popular Signal Desktop messaging application, which would allow the actor to read private Signal conversations, as well as documents, images, and archive files on targeted systems."

The Turla-initiated attacks begin with the delivery of phishing emails that distribute the Capibar malware within weaponized Excel XLSM attachments. Once triggered, the macro runs a PowerShell command, establishing persistence through a scheduled task masquerading as a Firefox update. However, the true intent of this task is to download the Capibar malware backdoor, which then proceeds to fetch additional payloads. Microsoft and CERT-UA have discovered the threat actors using open-source tools like Rclone to exfiltrate files with specific file extensions.

Another notable capability of Capibar malware is it's ability to transform a legitimate and compromised Exchange server into a malware control center. This is accomplished by abusing the PowerShell Desired State Configuration (DSC) module to create a Managed Object Format (MOF) file "containing a PowerShell script that loads the embedded .NET payload into memory," Microsoft explains. As for the KAZUAR backdoor, it is also a capable tool, with over 40 functions and the ability to steal data from event logs, forensic artifacts, browser credentials, databases, and configuration files. CERT-UA has distributed samples to organizations in effort to boost detection efforts. As of July 20th, 2023 (12:00 UTC) the detection score for a sample of Capibar malware remains relatively low at 20/70 on VirusTotal.