New PowerShell-based tools used by the Turla cyber espionage group improve the group’s persistence and stealth capabilities, according to researchers at cyber security firm Eset.
Turla, also known as Snake, is now using PowerShell scripts that provide direct, in-memory loading and execution of malware executables and libraries.
Microsoft PowerShell is a legitimate scripting language commonly used by IT administrators to configure systems and automate administrative tasks.
This means that using PowerShell-based tools enables attackers to bypass all security controls that are triggered when a malicious executable is dropped on a disk.
The use of PowerShell and other fileless attacks are gaining in popularity with cyber attackers as a way of sidestepping detection by avoiding the use of traditional malware files to initiate an attack.
Turla is known for complex malware and is believed to have been operating since at least 2008 when it breached the US military. It has also been involved in major attacks against government entities in Europe and the Middle East, including the German Foreign Office and the French military.
Recently, Eset researchers detected several attacks against diplomatic entities in Eastern Europe using PowerShell scripts.
“It is likely the same scripts are used globally against other traditional Turla targets,” said Eset researcher Matthieu Faou.
“Along with Turla’s new PowerShell loader, we’ve discovered and analysed several interesting payloads, including an RPC [remote procedure call]-based backdoor and a PowerShell backdoor leveraging Microsoft’s cloud storage service, OneDrive, as its command and control [C&C] server.”
The PowerShell loaders, detected by Eset under the umbrella name PowerShell/Turla, differ from simple droppers in their ability to persist on the system as they regularly load into memory only the embedded executables.
In some samples, Eset researchers found that Turla developers modified their PowerShell scripts to bypass the Windows Antimalware Scan Interface (AMSI), which allows applications and services to integrate with any antimalware product that’s present on a machine. This technique, the researchers said, leads to the antimalware product being unable to receive data from the AMSI interface for scanning.
“However, these techniques do not prevent the detection of the actual malicious payloads in memory,” said Faou.
Among the payloads recently used by Turla, he said two stand out. First is a whole set of backdoors relying on the RPC protocol. These backdoors, said Faou, are used to perform lateral movement and take control of other machines in the local network without relying on an external C&C server. Second is PowerStallion, a lightweight PowerShell backdoor using OneDrive as a C&C server.
“We believe this backdoor is a recovery access tool in case the main Turla backdoors are removed and operators can no longer access the compromised computers,” said Faou.
Eset researchers have published a blogpost with the results of their analysis of Turla’s PowerShell scripts to help defenders counter them, he said.