Crutch Malware

The Crutch Malware is believed to be part of the arsenal of the Turla hacking group, a Russian Advanced Persistent Threat (APT) actor specializing in attacks against government entities and companies operating in the education, medical, and energy industry. Their latest project, the Crutch Malware, was discovered on the systems belonging to a government part of the European Union, and it seems to work as both a backdoor Trojan and a covert infostealer. The low detection rate of the Crutch Malware is likely a sign that the malware is being used against very few selected targets, therefore allowing it to stay undetected for longer.

The modus operandi of the Crutch Malware appears to be flexible. While the malware is capable of searching for specific types of documents (RTF, DOC, DOCX, and PDF) automatically, it also allows the remote operator to control it manually. Regardless of the technique used, the Crutch Malware always extracts files in the same manner – it compresses them to a ZIP archive and then uploads them to a Dropbox account controlled by the hackers. Apart from scanning the hard drive of the compromised system, the Crutch Malware also can check removable storage devices for the presence of the targeted files.

The Turla hackers have over a decade of experience in the field, and the Crutch Malware is just one of the many implants they use. Cybersecurity experts believe that the Crutch Malware does not work as a first-stage backdoor and, instead, it was installed after the criminals had managed to infiltrate the victim's network via a different piece of malware. Using a legitimate service like Dropbox to exfiltrate collect data is a simple trick to make the harmful activity blend with legitimate network traffic, as not to raise any suspicion.