Turla Backdoor

Security researchers have released a detailed white paper on a peculiar backdoor malware that allowed the Advanced Persistent Threat (ATP) group known as Turla to infiltrate the authorities of several European countries and monitor their communications. The backdoor was controlled by emails with PDF attachments containing hidden commands and was able to log and collect data from the compromised computers. The malware was found to have been active within the German Federal Foreign Office for nearly a year before being detected. The same backdoor malware also was employed against two other European countries successfully, as well as a major defense contractor. This is not the first time Turla had breached heavily-guarded networks. Among their victims are the U.S. Central Command, the Swiss military company RUAG and the Finnish Foreign Ministry.

Building a Backdoor

The experts speculate that the development of the Turla Backdoor must have taken a considerable amount of time due to its sophisticated nature. If the timestamps are to be believed, a very limited version of the malware that was only capable of dumping email content dates as far back as 2009. In comparison, more recent versions target Microsoft Outlook and can execute PowerShell scripts into the computer memory directly. It should be noted that the Turla Backdoor doesn’t exploit any vulnerabilities in either Outlook or PDF readers. Instead, it leverages the Messaging Application Programming Interface (MAPI) of Outlook to access and control the mailboxes of all users on the compromised system.

As for the malware itself, it is a Dynamic Link Library file that contains code allowing it to install itself on any location of the hard drive. The installation of the backdoor is done through regsvr32.exe, a legitimate windows tool. For achieving persistence, Tulra employed the technique of COM object hijacking. This serves two purposes. First, the malware now launches every time Outlook is started, and second, it prevents the actual path to the backdoor from being displayed in the plug-in list.

Controlled by PDFs

Instead of the more traditional route of using a C&C (Command & Control) server to dictate the behavior of the backdoor malware, Tulra developed its tool to receive instructions from commands hidden in specially crafted PDFs that are sent as email attachments. This method eliminates the need for a constant Internet connection, which may be harder to maintain due to the highly-regulated networks of the Turla victims. The DLL file of the Outlook backdoor contains a hardcoded email address for the attackers, but even if that specific address gets blocked, they can still control the malware by sending emails from another address.

Collecting Data

Once inside, the Turla Backdoor can execute a plethora of functions. It logs metadata for all incoming and outgoing emails such as sender, receiver, subject and the names of any attached files. Any outgoing emails will be forwarded to the attacker's hardcoded email address while messages coming from it will not display any notifications, minimizing the possibility of the users noticing the unusual behavior. If by any chance the email address of the attackers gets blocked, they can update it through one of the malware's functions.

At regular intervals, the backdoor will send reports containing the MAC address of the system and the log file with gathered data. Every time the log file is sent, it gets cleaned, limiting any potential analysts to seeing only the recent activity of the malware. Furthermore, when exfiltrating the report, the backdoor employs the Outlook's callback function, which means that the report is only going to be sent when the users themselves send an email.