{"id":3435,"date":"2014-12-17T18:54:24","date_gmt":"2014-12-17T18:54:24","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=3435"},"modified":"2020-02-27T03:52:08","modified_gmt":"2020-02-26T16:52:08","slug":"no-penguin-left-behind-epic-turla-apts-linux-component-discovered","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/no-penguin-left-behind-epic-turla-apts-linux-component-discovered\/3435\/","title":{"rendered":"No penguin left behind: Epic Turla APT’s Linux component discovered"},"content":{"rendered":"

Kaspersky Lab experts unveiled<\/a> new Linux-targeting malware related to the infamous Turla APT.<\/p>\n

Epic Turla (aka Uroburos, Snake, etc.) is considered one of the most complex APTs in the world. Analysis on it was published earlier this year (see Securelist and Kaspersky Business blog for details), and the newly discovered malware seems to be the \u201cpreviously unknown piece of a larger puzzle\u201d, according to Kurt Baumgartner and Costin Raiu.<\/p>\n

\n<\/p>

All previously known \u201cpieces\u201d were targeting the Microsoft Windows family, both 32 and 64 bit, using zeroday vulnerabilities in Microsoft and Adobe products, and the appropriate backdoors. A Linux component was suspected, although it hadn\u2019t been observed in the wild. Until now.<\/p>\n

No penguin left behind: #EpicTurla #APT\u2019s #Linux component discovered<\/p>Tweet<\/a><\/blockquote>\n

The attacks committed in the course of the Epic Turla campaign are very sophisticated. It employs multistage infections, with a number of backdoors, keyloggers, rootkits, and other malicious tools deployed into the compromised systems consecutively.<\/p>\n

The most interesting point is the initial vector. Epic Turla uses relatively \u201cmundane\u201d methods. An attack scenario against a given business would look like this: First, a spearphishing e-mail is sent, crafted well enough to ensure it\u2019s going to be opened and the malicious payload activated. The e-mail is sent to the right person (previously identified by the attackers), it has industry (and situation) relevant headers \u2013 as does the attached document \u2013 and the spoofed source looks credible.<\/p>\n

Then there are waterhole attacks \u2013 and social engineering \u2013 used to lure the victims to compromised websites. Needless to say, compromising those sites is a separate activity, which requires some effort. This shows how thorough the actors behind the Epic Turla campaign are.<\/p>\n

The attackers are also notoriously dynamic in using exploits or different methods depending on what is available at the moment. Today, they may send you a spearphish and the next day you\u2019re prompted to download a fake Flash Player, etc.<\/p>\n

\"Epic-Turla\"<\/a><\/p>\n

Once they are in, the compromised system is served with a backdoor, then a keylogger. If attackers find their target is indeed of interest to them, a more advanced and sophisticated backdoor from the Carbon\/Cobra family is installed \u2013 again, in several stages (a detailed description is available here<\/a>).<\/p>\n

Now, the Linux component \u2013 the so-called \u201cPenquin\u201d Turla. Why is it there if Epic Turla is mostly Windows oriented?<\/p>\n

The most likely answers are the most obvious. First, Linux is widely used on servers. And taking over a server means securing a nearly perfect spot to intercept the data of interest.<\/p>\n

Also, Linux-based endpoints are common in government organizations worldwide \u2013 both in developing and developed countries \u2013 and government organizations are the primary targets for Epic Turla.<\/p>\n

Windows, Linux\u2026 How many more systems #EpicTurla attacks?<\/p>Tweet<\/a><\/blockquote>\n

Now the troubling part: According to Securelist, \u201cPenquin\u201d Turla is a stealth backdoor which doesn\u2019t require \u201celevated privileges\u201d \u2013 i.e. any administrative or root rights from the user. Even if a user with limited access to the system launches it, the backdoor can intercept incoming packets and run commands on the system incoming from the attackers while maintaining stealth. It is also rather hard to uncover, so if this thing slithers its way into the servers, it may be sitting tight and low indefinitely \u2013 depending on when the compromised system\u2019s operators check the machine for more exotic threats.<\/p>\n

\"wide-3\"<\/a><\/p>\n

The question now is: How many more Epic Turla malware variants are out there undiscovered? What might they target, and what can potential victims do to stop it from happening?<\/p>\n

The technical tools capable of protecting your infrastructure from the \u201cinitial vector\u201d attacks listed above \u2013 namely phishing and waterholing \u2013 do exist, but it is also utterly important that the employees are aware of these threats and know how to counter them too.<\/p>\n

More data on Epic Turla campaign:<\/p>\n