Turla, a well-known threat actor, targets its victims with Advanced Persistent Threats (APTs). Analyzing a sophisticated example of this malware with MetaDefender Sandbox gives us an in-depth understanding of the methodology used to dissect and understand these threats, which is essential for cybersecurity professionals aiming to defend against them.
This malware is KopiLuwak, a JavaScript-based reconnaissance tool widely used for victim profiling and C2 communication. Its obfuscation techniques and relatively straightforward backdoor design enable it to operate discreetly and evade detection.
Threat Actor Profile
Turla, a cyber espionage threat group with suspected ties to Russia's Federal Security Service (FSB), has been actively operating since at least 2004. Over the years, Turla has successfully compromised victims in more than 50 countries, infiltrating diverse sectors such as government, embassies, military, education, research, and pharmaceutical companies.
The group exhibits a sophisticated modus operandi, often employing tactics such as using watering holes and spear phishing campaigns. Despite its notoriety, Turla's activity has surged in recent years, highlighting the group's resilience and adaptability in the ever-evolving landscape of cyber threats.
Sample Overview
The sample under scrutiny is a Microsoft Word document which, upon initial examination of its embedded content (e.g. with Didier Steven’s oletools), contains a variety of suspicious artefacts, such as:
Macro with AutoOpen and AutoClose keywords, indicating automated VBA execution.
- “mailform.js” together with “WScript.Shell”, indicating embeddedJavaScript (JS) is present and will be executed.
- An embedded object that pretends to be a JPEG file, including a verylong suspicious string (encrypted JS code).
Multilayer Emulation
While at this point a manual analysis would require applying advanced decryption/code messaging (e.g. using Binary Refinery, reformatting code for readability, or renaming variables for clarity), we can count on the advanced emulation sandbox technology in MetaDefender Sandbox to do all these steps for us automatically.
Let’s switch to the “Emulation Data” tab on the left side of the report:
Looking at some of the emulator events, we can clearly see the entire chain of attack unfolding:
But that’s not all: the new JS code is also highly obfuscated. If we have a look at the Shell event, it has been executed with “NPEfpRZ4aqnh1YuGwQd0” as its parameter. This parameter is an RC4 key used in the next iteration of decoding
In the following step, the mailform.js decodes the final JS payload stored as a long Base64 string. This string is Base64 decoded, then decrypted using RC4 with the key (mentioned above) passed as a parameter, and finally, executed using the eval() function. Note that this JS code is only in memory, but MetaDefender Sandbox will proceed with all remaining detection protocols.
The fully decrypted JS code shows the malware’s functionality as a basic backdoor, capable of running commands from a remote C2 server. As a last finding, before connecting to the C2 server, it builds a victim profile, gains persistence and then exfiltrates data using HTTP requests to the C2 server.
IOC Extraction
The “Indicator of Compromise” sub-page aggregates all the IOCs extracted from any step of the automated analysis,displaying the key C2 URLs underneath of the “VBA emulation” Origin:
Whenever we see a known malware family name as part of an AV label, YARA rule or detect it via e.g. a decoded configuration file, MetaDefender Sandbox automatically generates the appropriate tag and propagates it to the top level landing page of the report:
While this is not always guaranteed to be accurate, it is a leading indicator to help further triage and perform an accurate attribution.
Conclusion
This technical analysis of a Turla APT malware sample underscores the depth and sophistication of modern cyber threats, and how MetaDefender Sandbox saves a massive amount of time by automatically de-obfuscating multiple encryption layers until it reaches valuable IOCs. This is an interesting sample that shows how our emulation system can effectively adapt itself to the polymorphic nature of obfuscation techniques used during in-the-wild campaigns of sophisticated threat actors.
Indicators of Compromise (IOCs)
MS Word Document
Sha256: 2299ff9c7e5995333691f3e68373ebbb036aa619acd61cbea6c5210490699bb6
Mailform.fs
Sha256: 4f8bc0c14dd95afeb5a14be0f392a66408d3039518543c3e1e666d973f2ba634
C2 Servers
hxxp[://]belcollegium[.]org/wp-admin/includes/class-wp-upload-plugins-list-table[.]php
hxxp[://]soligro[.]com/wp-includes/pomo/db[.]php
