Turla DeliveryCheck Backdoor: A Threat to Ukrainian Defense Sector: The defense sector in Ukraine and Eastern Europe faces a new cyber threat as Turla, a Russian nation-state actor, deploys a sophisticated .NET-based backdoor named DeliveryCheck.
Working in collaboration with the Computer Emergency Response Team of Ukraine (CERT-UA), Microsoft’s threat intelligence team has identified the attacks and attributes them to Turla, a group associated with Russia’s Federal Security Service (FSB).
This backdoor is delivered via email with malicious macros and can install a server-side component on Microsoft Exchange servers to compromise communication and exfiltrate sensitive data.
Key Takeaways on Turla DeliveryCheck Backdoor: A Threat to Ukrainian Defense Sector:
- The Ukrainian defense sector was targeted by a sophisticated .NET-based backdoor called DeliveryCheck.
- Turla, a Russian nation-state actor, was identified as the threat actor behind the attacks.
- DeliveryCheck uses email-based delivery, Microsoft Exchange server breaches, and PowerShell for malicious operations.
The defense sector in Ukraine and Eastern Europe has fallen under the radar of cyber threats as a new .NET-based backdoor called DeliveryCheck, also known as CAPIBAR or GAMEDAY emerges.
This sophisticated backdoor is designed to deliver next-stage payloads, posing a significant risk to security.
Turla: A Russian Nation-State Actor Behind the Attacks
Microsoft’s threat intelligence team, collaborating with CERT-UA, has traced the attacks to Turla, a notorious Russian nation-state actor.
Known by various aliases like Iron Hunter, Secret Blizzard (formerly Krypton), Uroburos, Venomous Bear, and Waterbug, Turla is linked to Russia’s Federal Security Service (FSB).
DeliveryCheck’s Stealthy Distribution and Persistence
DeliveryCheck spreads through malicious macros embedded in email attachments. It maintains persistence through a scheduled task, ensuring its presence in memory.
Additionally, the backdoor connects to a command-and-control (C2) server to retrieve tasks, which may involve launching arbitrary payloads hidden in XSLT stylesheets.
A Multifaceted Attack Strategy
Once successful initial access is achieved, Turla deploys the notorious Kazuar implant, capable of stealing application configuration files, event logs, and diverse data from web browsers.
The ultimate aim is to exfiltrate messages from the Signal messaging app for Windows, enabling cyber actors to gain access to sensitive conversations, documents, and images on targeted systems.
DeliveryCheck’s Unique Approach to Breaching Microsoft Exchange Servers
One notable feature of DeliveryCheck is its capability to breach Microsoft Exchange servers.
By leveraging PowerShell Desired State Configuration (DSC), a management platform for automating Windows system configuration, the backdoor installs a server-side component.
This transforms a legitimate server into a malicious C2 center, providing Turla with a covert base of operations.
Combating Cyber Threats in Ukraine
As the defense sector faces evolving cyber threats, a collaboration between Microsoft and CERT-UA has led to the identification of DeliveryCheck’s attacks.
Staying vigilant against nation-state actors like Turla is crucial to safeguarding critical infrastructure and sensitive data.
Cyber Police Dismantles Hostile Propaganda and Fraud Schemes
In a separate operation, the Cyber Police of Ukraine successfully dismantled a massive bot farm, thwarting over 100 individuals engaged in spreading hostile propaganda to justify the Russian invasion.
The group also leaked the personal information of Ukrainian citizens and conducted various fraud schemes. Searches in 21 locations resulted in the seizure of substantial equipment and resources used for these illicit activities.
