#    


##### in 2008, when Turla breached the US Department of Defense [1]. Since then, there have been

 numerous security incidents involving Turla targeting several governments and sensitive

# 

##### businesses such as the defense industry [2].

# 


##### Our January 2018 white paper [3] was the first public analysis of a Turla campaign called

 Mosquito. We have also published indicators of compromise [4]. Since then, the campaign has

 remained very active and attackers have been busy changing their tactics to remain as stealthy

 as possible.

 Starting in March 2018, we observed a significant change in the campaign: it now leverages the

 open source exploitation framework Metasploit before dropping the custom Mosquito

 backdoor. It is not the first time Turla has used generic tools. In the past, we have seen the

 group using open-source password dumpers such as Mimikatz. However, to our knowledge,

 this is the first time Turla has used Metasploit as a first stage backdoor, instead of relying on

 one of its own tools such as Skipper [5].

## Distribution


-----

##### campaign is still a fake Flash installer, in reality installing both the Turla backdoor and the

 legitimate Adobe Flash Player. The typical targets are still embassies and consulates in Eastern

 Europe.

 We showed that the compromise happens when the user downloads a Flash installer from

 get.adobe.com through HTTP. Traffic was intercepted on a node between the end machine

 and the Adobe servers, allowing Turla’s operators to replace the legitimate Flash executable

 with a trojanized version. The following image shows the different points where the traffic

 could in theory be intercepted. Please note that we believe the fifth possibility to be excluded,

 as, to the best of our knowledge, Adobe/Akamai was not compromised.


-----

##### Even though we were not able to spot traffic interception subsequently, we found a new

 executable that is still impersonating the Flash installer and is named

 flashplayer28_xa_install.exe. Thus, we believe the same method of initial compromise

 is still being used.

## Analysis


-----

##### some changes in the Mosquito campaign. Even though they did not make use of

 groundbreaking techniques, this is a significant shift in Turla’s Tactics, Techniques and

 Procedures (TTPs).

 Previously, the chain of compromise was a fake Flash installer dropping a loader and the main

 backdoor. The following figure summarizes the process.


-----

##### DLLs, it executes a Metasploit shellcode and drops, or downloads from Google Drive, a

 legitimate Flash installer. Then, the shellcode downloads a Meterpreter, which is a typical

 Metasploit payload [6], allowing the attacker to control the compromised machine. Finally, the

 machine may receive the typical Mosquito backdoor. The figure below summarizes the new

 process.

 Because Metasploit is being used, we might also guess that an operator controls the

 exploitation process manually. The time frame of the attack was relatively short as the final

 backdoor was dropped within thirty minutes of the start of the compromise attempt.


-----

-----

-----

##### g p y p y q

 domain, psychology-blog.ezua[.]com, was resolving to it in October 2017.

 Finally, the fake Flash installer downloads a legitimate Adobe installer, from a Google Drive URL,

 and executes it to lull the user into thinking all went correctly.

## Additional tools

##### In addition to the new fake Flash installer and Meterpreter, we observed the use of several

 other tools.

A custom executable that only contains the Metasploit shellcode. This is used to maintain access to a
Meterpreter session. It is saved to C:\Users\
<username>\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\msupdateconf.exe, granting the executable persistence.

Another custom executable used to execute PowerShell scripts.

The Mosquito JScript backdoor that uses Google Apps Script as its C&C server.


-----

## Conclusion

##### In this post, we have presented the evolutions of the Turla Mosquito campaign over the last

 few months. The major change we observed was the use of Metasploit, an open-source

 penetration testing project, as a first stage for the custom Mosquito backdoor. This might be

 useful information for defenders performing incident response on attacks involving Turla.

 For any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.

### C&C

https://209.239.115[.]91/6OHEJ

https://70.32.39[.]219/n2DE3

### Link to the legitimate Flash installer


-----

## IoCs

Filename SHA1 SHA256

flashplayer28_xa_install.exe 33d3b0ec31bfc16dcb1b1ff82550aa17fa4c07c5 f9b83eff6d705c214993be9575

msupdateconf.exe 114c1585f1ca2878a187f1ce7079154cc60db7f5 1193033d6526416e07a5f20022

msupdatesmal.exe 994c8920180d0395c4b4eb6e7737961be6108f64 6868cdac0f06232608178b101c

### References

##### [1] B. KNOWLTON, “Military Computer Attack Confirmed,” New York Times, 25 08 2010.

 [Online]. Available: https://www.nytimes.com/2010/08/26/technology/26cyber.html?

 _r=1&ref=technology. [Accessed 09 04 2018].


-----

##### 23 05 2016. [Online]. Available:

 https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical
 reports/technical-report_apt_case_ruag.html.

 [3] ESET, “Diplomats in Eastern Europe bitten by a Turla mosquito,” ESET, 01 2018. [Online].

 Available: https://www.welivesecurity.com/wp
 content/uploads/2018/01/ESET_Turla_Mosquito.pdf.

 [4] ESET, “Mosquito Indicators of Compromise,” ESET, 09 01 2018. [Online]. Available:

 https://github.com/eset/malware-ioc/tree/master/turla#mosquito-indicators-of-compromise.

 [5] M. Tivadar, C. Istrate, I. Muntean and A. Ardelean, “Pacifier APT,” 01 07 2016. [Online].

 Available: https://labs.bitdefender.com/wp-content/uploads/downloads/pacifier-apt/.

 [6] “About the Metasploit Meterpreter,” [Online]. Available: https://www.offensive
 security.com/metasploit-unleashed/about-meterpreter/.


-----

##### http://radare.today/posts/unpacking-shikata-ga-nai-by-scripting-radare2/.

 [8] “meterpreter/source/extensions/priv/server/elevate/,” Rapid7, 26 11 2013. [Online]. Available:

 https://github.com/rapid7/meterpreter/tree/master/source/extensions/priv/server/elevate.



[ESET Research](https://www.welivesecurity.com/author/esetresearch/) 22 May 2018 - 02:58PM


#### Similar Articles


[ESPIONAGE](https://www.welivesecurity.com/category/espionage/) [ESPIONAGE](https://www.welivesecurity.com/category/espionage/) [ESPIONAGE](https://www.welivesecurity.com/category/espionage/) [ESPIONAGE](https://www.welivesecurity.com/category/espionage/)


[ESPIONAGE](https://www.welivesecurity.com/category/espionage/)


[ESPIONAGE](https://www.welivesecurity.com/category/espionage/)


ESET research:
Appearances are


[ESPIONAGE](https://www.welivesecurity.com/category/espionage/)


New ESET research
uncovers Gazer, the


[ESPIONAGE](https://www.welivesecurity.com/category/espionage/)


Operation Potao Express:
[Analysis of a cyber-](https://www.welivesecurity.com/2015/07/30/operation-potao-express/)


Huawei? The how, what,
[and why of telecom](https://www.welivesecurity.com/2012/10/08/huawei-the-how-what-and-why-of-telecom-supply-chain-threats/)


-----

#### Discussion


-----

[Home](https://www.welivesecurity.com/)

About Us

Contact Us


[Sitemap](https://www.welivesecurity.com/sitemap/)

Our Experts

ESET


[Research](https://www.welivesecurity.com/research/)

How To

Categories


[RSS Configurator](https://www.welivesecurity.com/rss-configurator/)

News Widget


-----