APT group Turla launches C&C attack through Microsoft Outlook backdoor

Recently, ESET researchers released a research report on the backdoor used by APT organisation Turla (or Snake or Uroburos), which is used to obtain sensitive communications from authorities in at least three European countries.

The most recent goal of the back door is Microsoft Outlook. The backdoor does not use traditional command and control (C&C) methods, such as HTTP(S), but instead uses a specially crafted PDF file in an email attachment to instruct the infected machine to execute a series of commands. Commands include data leaks, downloading other files, and performing other programs and controls. The data breach itself is also carried out through PDF files.

Turla is the Russian cyber espionage APT organisation (also known as Snake or Uroburos), which has been active in attacking government agencies and private companies since 2008. Among the notable victims are the Finnish Ministry of Foreign Affairs in 2013, the Swiss military company RUAG from 2014 to 2016, and the German government recently from the end of 2017 to the beginning of 2018. There have been reports of attacks on attackers: they use email attachments to control malware and transmit stolen data from the system. However, no technical information about this backdoor is disclosed. To this end, ESET researchers released an in-depth analysis of the back door of Turla.

ESET’s survey also revealed that this backdoor for Microsoft Outlook was used against various political and military organisations. It was determined that the foreign offices of two other European governments and one large defence contractor were damaged. It also found dozens of email addresses that Turla registered for this event to receive detailed data about the victim.

The back door may have appeared as early as 2009. Over the years, its author has been adding a variety of features that ultimately give it rare stealth and resilience. The following is the evolution of the door in the past few years.

Turla is the Russian cyber espionage APT organisation (also known as Snake or Uroburos), which has been active in attacking government agencies and private companies since 2008. Among the notable victims are the Finnish Ministry of Foreign Affairs in 2013, the Swiss military company RUAG from 2014 to 2016, and the German government recently from the end of 2017 to the beginning of 2018. There have been reports of attacks on attackers: they use email attachments to control malware and transmit stolen data from the system. However, no technical information about this backdoor is disclosed. To this end, ESET researchers released an in-depth analysis of the back door of Turla.

ESET’s survey also revealed that this backdoor for Microsoft Outlook was used against various political and military organisations. It was determined that the foreign offices of two other European governments and one large defence contractor were damaged. It also found dozens of email addresses that Turla registered for this event to receive detailed data about the victim.

The back door may have appeared as early as 2009. Over the years, its author has been adding a variety of features that ultimately give it rare stealth and resilience. The following is the evolution of the door in the past few years.

Attack process

The Turla Outlook back door has two primary functions. First, it steals information by forwarding all sent email to the attacker. It’s primarily for Microsoft Outlook, but it’s also for The Bat!, a favourite mail client in Eastern Europe. Second, email messages are used as the transport layer for its Command and Control (C&C) protocol. Data (such as files requested by backdoor commands) is attached to the specially crafted PDF document of the email, and the commands are also received in the PDF attachment. Therefore, its behaviour is mainly hidden. It is worth noting that there are no vulnerabilities in PDF readers and Outlook. It is a malware that can decode the data in a PDF document and interpret it as a backdoor command.

The latest version of Backdoor is a standalone Dynamic Link Library (DLL) that has it installed itself and with the mail client Outlook and The Bat! Interactive code.

APT group Turla

Image: welivesecurity

Rear door installation:

To install the backdoor, the attacker executes a DLL export named Install or registers it with regsvr32.exe. The parameter is the target mail client.

Microsoft Outlook:

Turla developers once again rely on COM object hijacking to build persistence for their malware. This includes redirecting the COM object used by the target application by modifying the corresponding CLSID entry in the Windows registry. Once changed, the backdoor DLL is loaded each time Outlook loads this COM object. This COM redirect does not require administrative rights because it only works for the current user. Finally, using COM hijacking allows the backdoor to remain concealed.

Interaction with the mail client:

Microsoft maintains an API, the Messaging Application Programming Interface (MAPI), which allows applications to interact with Outlook. This Turla backdoor uses the API to access and manage the mailboxes of people who are infected with the system. First, it uses MAPILogonEx to connect to the messaging system. Outlook uses the flag MAPI_ALLOW_OTHERS to open the default session. Therefore, the backdoor will use this previously opened session to access the default mailbox profile. Once this is done, it can access the full mailbox and can be easily managed using other MAPI features. It traverses various message repositories, parses emails, and adds callbacks in the inbox and outbox.

Inbox callback:

Inbox callbacks first record metadata about incoming emails. This includes the sender, recipient, subject, and attachment name. Then, parse the email and its attachments to see if they contain commands from the attacker. Finally, intercept non-delivery report (NDR) emails by checking if the incoming email contains the carrier’s email address. Therefore, any email containing the carrier’s email address will be discarded.

Outbox callback:

Similar to the inbox callback, the Outbox callback records the metadata for each outgoing email. It also forwards each outgoing email to the attacker’s email address. The back door periodically sends a report to the attacker’s email address.

Hide malicious behaviour:

Since the backdoor works, while the user is using the computer and Outlook, efforts are made to hide various malicious behaviours that may appear on the screen, such as emails from an attacker. First, the backdoor always deletes all emails sent to or received from the attacker. Second, hook the CreateWindowsEx function. Prevents the creation of a NetUIHWND type window, which is the type of window that Outlook uses to display notifications in the lower right corner of the screen.

According to the ESET survey, Turla is currently the only spy organisation that uses a backdoor that is entirely controlled by email, more specifically through PDF attachments. Although the Turla backdoor was not the first backdoor to use the victim’s real mailbox to receive commands and leak data, it was the first known backdoor to interact with Microsoft Outlook using the standard API (MAPI). This is a significant improvement over the old mail control backdoor, which relies on Outlook Express to read inbox files and write outbox files. In contrast, the Turla backdoor can even be used with the latest version of Outlook.

The damaged organisation has not only the risk of being monitored by the rear gate of Turla but also the risk of being controlled by other attackers. The backdoor executes merely any commands it receives and does not recognise the operator. As a result, other attackers may have reverse engineered the back door and figured out how to control it, even using the back door to spy on the victim.