Russian Hacking Group's Backdoor Uses DropboxResearchers Describe Turla Group's 'Crutch' Malware
As part of a cyberespionage campaign, the Russian hacking group known as Turla deployed a backdoor called "Crutch" that uses Dropbox resources to help gather stolen data, according to the security firm ESET.
Crutch, which acts as both a backdoor and information stealer, was active from 2015 through at least early 2020. While Crutch has not been previously identified, the ESET researchers believe that it was used in at least one espionage campaign that targeted a ministry of foreign affairs in the European Union that it did not name.
The researchers note the malware appears capable of bypassing security filters by blending into normal network traffic while exfiltrating stolen documents and receiving commands from the Turla hacking group.
"The main malicious activity is exfiltration of documents and other sensitive files. The sophistication of the attacks and technical details of the discovery further strengthen the perception that the Turla group has considerable resources to operate such a large and diverse arsenal," Matthieu Faou, an ESET researcher, notes in the report.
ESET researchers identified linked Crutch to Turla based on similarities between the Crutch dropper - used to help install the malware on a compromised device - and Gazer, another second-stage backdoor used by Turla in between 2016 and 2017.
Crutch and Gazer also use the same RC4 encryption key used to help exfiltrate data, the researchers say.
Turla, which is also known as Belugasturgeon, Ouroboros, Snake, Venomous Bear and Waterbug, has carried out a series of operations targeting government or military agencies in at least 35 countries since 2008 (see: Russian Hackers Revamp Malware, Target Governments: Report).
The advanced persistent threat group has deployed a large malware arsenal that ESET and other researchers have documented over the past several years. The group's hacking tools include ComRAT network exfiltration malware and the HyperStack backdoor used to manipulate Windows APIs for persistence (see: Updated Malware Tied to Russian Hackers).
The ESET report notes that Crutch is mainly used as a second-stage backdoor, and it’s usually installed on a compromised device after other malware has already been deployed against a target. The researchers note that Turla first used another backdoor called Skipper before deploying Crutch.
In one case, the hacking group used PowerShell Empire - a penetration testing post-exploitation tool - to deploy Crutch within a compromised network, according to the report.
ESET has identified several versions of Crutch. The earlier versions, deployed between 2015 and 2019, used a backchannel to communicate with a hardcoded Dropbox account using the official HTTP API. The hacking group could then send commands to the malware before data was uploaded and encrypted to the cloud storage account.
The researchers also note that Crutch uses Dynamic Link Library hijacking to maintain persistence within a device or network.
A newer version, called Version 4, that appeared in July 2019 enabled more automation to allow the malware to collect files without commands from its operators, according to the report.
"The main difference is that it no longer supports backdoor commands,” ESET says. "On the other hand, it can automatically upload the files found on local and removable drives to Dropbox storage by using the Windows version of the Wget utility."
Faou notes that the use of Dropbox as a communication tool between the hacking group and the malware it deploys shows increasing sophistication.
" Most of recent Turla backdoors are using emails for command-and-control communication, such as LightNeuron and ComRAT v4, so the use of Dropbox is quite new," Faou tells Information Security Media Group. "However, this is in line with their ability to build custom command-and-control protocols that easily blend into the normal network traffic."
Criminals’ Use of Legitimate Tools
Other APT groups have also used legitimate cloud tools and services as part of their malicious infrastructure.
In September, Microsoft noted that it removed 18 apps from its Azure cloud computing platform that were being used by a hacking group as part of its command-and-control infrastructure to help launch phishing email attacks (see: Microsoft Shutters Azure Apps Used by China-Linked Hackers).
Researchers at Texas Tech University published a paper in June that noted even legitimate hackers, such as penetration testers, routinely weaponized cloud resources (see: Even Ethical Hackers Abuse Cloud Services).