Linux backdoor used by Turla APT attackers discovered, analyzed

Kaspersky Lab researchers have discovered a new piece of the puzzle called Turla (aka Snake, aka Uroburos): the malware used by attackers does not come only in the Windows flavour, but in the Linux one as well.

The APT attackers behind the Turla campaigns are thought to be Russian-speaking. They use zero-day exploits, social engineering and watering hole techniques attacks to infect victims – government entities, embassies, military, research and education organizations and pharmaceutical companies – with rootkits/backdoors that allow them to take control of infected machines and execute commands on them, and steal files and deliver them to C&C servers under their control.

As far as we know, the attackers have operated this way for years. So far, researchers have managed to find and analyze the malware used for compromising 32-bit and 64-bit Microsoft Windows systems, but they believed that the attackers also wielded Linux malware.

But only now Kaspersky Lab researchers managed to get their hands on two of these samples.

“The Linux Turla module is a C/C++ executable statically linked against multiple libraries, greatly increasing its file size. It was stripped of symbol information, more likely intended to increase analysis effort than to decrease file size. Its functionality includes hidden network communications, arbitrary remote command execution, and remote management,” they shared.

The malware is a backdoor based on publicly available source code.

“This Turla cd00r-based malware maintains stealth without requiring elevated privileges while running arbitrary remote commands,” they noted. “It can’t be discovered via netstat, a commonly used administrative tool. It uses techniques that don’t require root access, which allows it to be more freely run on more victim hosts. Even if a regular user with limited privileges launches it, it can continue to intercept incoming packets and run incoming commands on the system.”

Another interesting thing about it is that it springs into action after receiving a specially crafted packet from the attackers containing a specific ACK number in the TCP header or a specific second byte in the UDP packet body.

The two samples they have detected are different variants of the same malware, but it’s more than likely more of them exist in the wild. Kaspersky’s researchers believe that one of these variants has been hidden on a infected computer for years.

More about

Don't miss