05/07/2024

Turla: A Master’s Art of Evasion

A Master’s Art of Evasion Malware

An analysis by Ricardo Pineda, Jr. and Arvin Bandong

Introduction

A shortcut file is a handle in a user interface that allows the user to execute a file or resource located in a different folder which provides convenience to the user in a system. But what if threat actors weaponize it to do their bidding? On the 9th day of May 2024, GDATA analysts observed a possible new campaign that uses malicious shortcut file that leverages on Microsoft's platform for building application to deploy a fileless backdoor into the system. It also employs memory patching, bypass AMSI and disable system’s event logging features to impair system’s defense to enhance its evasion capability. Turla, also known by other names such as "Uroburos" is a name that G DATA researchers are familiar with, since they have contributed to one of the first analyses of this Russia-based malware - more than 10 years ago

 

Technical Details

Intrusion and infection

The malicious shortcut file's package origin is from a compromised website of one of the top newspaper and media outlet from the Philippines, Philippine Daily Inquirer at hxxps://ies.inquirer.com.ph/--REDACTED--/Advisory23-UCDMS04-11-01.zip

The infection starts with a malicious package downloaded from a compromised website. The link to the file is potentially distributed through phishing emails that contain the URL of said website. When an unsuspecting user executes the extracted malicious shortcut file from the downloaded package, it will lead to an execution of a PowerShell script that will deploy a fileless backdoor into the system. It leverages Microsoft’s msbuild.exe to implement AWL (Application Whitelist) Bypass to avoid detection. It also creates a scheduled task to serve as part of its persistence method and to maintain its existence in the system to carry out its malicious routines.

Technical Analysis

The malicious shortcut file arrives on the system, masquerading itself as a shortcut file of a normal pdf document. It uses the filename Advisory23-USDMS04-11-01.pdf.lnk, which represents a reference number of Philippine Statistic Authority (PSA) Public Advisory. PSA is the national statistical authority of the Philippines that is responsible for all national censuses and surveys, and compilation of national accounts.

Upon execution of the malicious shortcut file, it will trigger an execution of a PowerShell script that will drop the following files:

 

%temp%\ChromeConnection
%temp%\ Advisory23-USDMS04-11-01.pdf

The file Advisory23-USDMS04-11-01.pdf is a benign document that contains the PSA Public Advisory as shown in the figure below:

This document is a decoy which is to detract from of the malicious activities performed in the background by ChromeConnection. Said file is a malicious MSBuild project file that will be loaded by msbuild.exe after being triggered by a PowerShell script.

The project file will only work on 64-bit operating systems as the assembly file indicated in it is located in the Framework64 directory of Microsoft.Net. Upon execution of the project file “ChromeConnection” via msbuild.exe, it creates a scheduled task as part of the malware’s persistence mechanism:

 

/create /sc MINUTE /mo 30 /st 07:00:00 /tn "ChromeConnection" /tr "cmd /c start /min 
%windir%\Microsoft.NET\Framework64\v4.0.30319\MSBuild %temp%\ChromeConnection" /f

 

As we can see, "ChromeConnection" is started every 30 minutes, starting at 7 a.m.
Then it loads the obfuscated payload of the project file into the system. This payload is a  fileless backdoor.

The backdoor is an MSIL compiled binary. It is protected by SmartAssembly, a powerful obfuscation tool that secures an application against disassembly and reverse engineering and some of its codes are hidden, which can be considered as part of its anti-debugging schemes.

The Backdoor

Backdoors such as this one are capable of evading detection by disabling the system’s Event Tracing for Windows (ETW). This feature provides a mechanism to trace and log events that are generated by user-mode applications as well as kernel-mode drivers. The backdoor also performs memory patching on some of the in-memory system module components as part of its anti-detection scheme. Another part of this scheme is the  bypassing of the Windows Antimalware Scan Interface (AMSI), a security feature in Windows that enables applications and services to integrate with any antimalware product present on a computer.
Next, a connection to its command & control server (c2 server) is established using different URLs. First the malware will establish a connection to the following URL:

hxxp://files.philbendeck.com/file/<computed string encoded ID>.jsp

This URL is a personal website of an individual whose website was compromised. This connection will verify the continuity of the backdoor’s routine depending on the server’s response.

Upon successful verification from the server, it will establish connection to the server using the next URL:
hxxp://files.philbendeck.com/help/<computed string encoded ID>.jsp
When connecting to the server, it will transmit commands for the backdoor:This connection will dictate the commands of the backdoor depending on the response of the server.

Backdoor Commands

ps creates a PowerShell runspace that will perform the following:

  • disable event related features of the system by disabling the ETW
  • disable event related module functions by performing memory patching on in-memory system module components
  • disable AMSI scan feature by performing memory patching on in-memory amsi.dll
  • execute a PowerShell script received from the server

All of these are logged and will be sent to the URL hxxp://files.philbendeck.com/article/<computed string encoded ID>.jsp

cps

  • closes the PowerShell runspace

op

  • reports reconnect, sleep and receive timeout of the backdoor
  • This information is sent to the server via the following URL: hxxp://files.philbendeck.com/about/<computed string encoded ID>.jsp

uf

  • creates a file using the username as its filename, where in the content is received from the server

Conclusion

Upon analyzing this malware, we were able to find some similarities with other malware utilized by Turla. First, is its use of compromised website as its server. Next, is AMSI bypassing by patching on in-memory amsi.dll. Another one is usage of PowerShell script to load malicious codes in memory which enables it to evade detection. Lastly is execution of other PowerShell scripts provided by the server and reporting the result back to it. We also identified new techniques employed by this malware that are not yet utilized by malware from Turla APT Family.

  • Employment of LNK file
  • Usage of MSbuild to load project file that will launch fileless backdoor
  • Disabling event related module functions by patching on in-memory system module components (advapi32.dll, ntdll.dll)
  • Disabling Event Tracing for Windows (ETW)

Prevention

To prevent this kind of malware infecting your system, here are some practical tips:

  • Set PowerShell execution policy to execute only signed scripts.
  • It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact on an environment, since it could be in use for many legitimate purposes and administrative functions.
  • Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.
  • MSBuild.exe may not be necessary within an environment and should be removed if not being used.
  • Use application control configured to block execution of msbuild.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

MITRE ATT&CK

TechniquesSub-TechniquesIDProcedure
Masquerading T1036masquerades itself as a shortcut file of a normal pdf document
Command and Scripting InterpreterPowerShellT1059.001used obfuscated PowerShell to extract an encoded payload from within an .LNK file and open a decoy document
Impair DefensesDisable or Modify ToolsT1562.001

** performed AMSI bypass, which patches the in-memory amsi.dll

** disable event related module functions by patching in-memory system modules (advapi32.dll, ntdll.dll)
 Disable Windows Event LoggingT1562.002disable system's ETW (Event Tracing for Windows)
Trusted Developer Utilities Proxy ExecutionMSBuildT1127.001used msbuild to load a malicious project file
Scheduled Task/JobScheduled TaskT1053.005achieved persistence via scheduled tasks
Deobfuscate/Decode Files or Information T1140decode information
Obfuscated Files or InformationEncrypted/Encoded FileT1027.013encode information
 Embedded PayloadsT1027.009loads an embedded payload in the memory
 Fileless StorageT1027.011encoded malicious binary embedded in a project file
Application Layer ProtocolWeb ProtocolsT1071.001use HTTP to communicate with C2 server

 

IOC

SHA256Filename
cac4d4364d20fa343bf681f6544b31995a57d8f69ee606c4675db60be5ae8775Advisory23-CDMS04-11-01.pdf.lnk
c2618fb013135485f9f9aa27983df3371dfdcb7beecde86d02cee0c258d5ed7fAdvisory23-UCDMS04-11-01.pdf.zip
b6abbeab6e000036c6cdffc57c096d796397263e280ea264eba73ac5bab39441ChromeConnection
7091ce97fb5906680c1b09558bafdf9681a81f5f524677b90fd0f7fc0a05bc00None (extracted embedded binary)
URLDescription
hxxps://ies.inquirer.com.ph/advprod03/assets/images/Advisory23-UCDMS04-11-01.zipOrigin of the malicious lnk file's package
hxxp://files.philbendeck.com/file/<computed string encoded ID>.jspmalware server used for connection verification
hxxp://files.philbendeck.com/help/<computed string encoded ID>.jspmalware server used for backdoor commands
hxxp://files.philbendeck.com/article/<computed string encoded ID>.jspmalware server used for reporting of disabling system event features and script execution result
hxxp://files.philbendeck.com/about/<computed string encoded ID>.jspmalware server used for reporting of time of malware's reconnection, sleep and receive timeout