A seemingly legitimate update sometimes turns out to be a malicious software in disguise. A state-sponsored hacking campaign is using a new method of malware infiltration with the help of an innocent software update like Flash Player.
Researchers at ESET uncovered the operation whose attacks are aimed at embassies and consulates in east European states and they linked it to Turla which is one of the most notorious ongoing cyber-espionage groups. Turla has been targeting diplomats and government officials for years and they used tactics like the watering-hole technique and spear phishing campaigns which involve the use of fake extensions downloads to infect the victim’s system. Apart from these specific targets, some private companies have also suffered these attacks.
This hacking scam technique is not new but ESET security researchers are not sure how the cybercriminals are packing their “cargo” alongside an Adobe Flash Player installer and how it can trick so many people into thinking they are downloading a genuine software instead.
How did ESET researchers conclude that Turla is behind these attacks?
First, some fake software installers open backdoor for attackers to drop malware onto the system and this form of malware is referred to as Mosquito, which has already been associated with Turla’s malware campaigns. Second, Turla uses an app hosted on Google Apps Script as C&C – command-and-control – server linked to the Java. At last, the malware used for the attacks shares similarities with other malware such as Gazer or ComRAT that are related to Turla, which hint at the fact that there’s a strong connection between hacking operations. All of those have a strong focus point: embassies and consults in eastern European states and are making great efforts to keep their remote access to the particular sources of data.
How does Turla conduct this attack?
Possible ways they do it include a man-in-the middle attack which basically means that they already have their target organization’s network system compromised. In this scenario, the traffic is redirected from the victim’s system through the compromised server and modified as they go on. Other two scenarios that seem less likely to happen because they would immediately set alarm bells ringing are that Turla does a man-in-the-middle attack at the level of ISP, or executing a Border Gateway Protocol (BGP) hijack to re-route the traffic to a controlled server so that the malicious traffic doesn’t reach Adobe’s servers.