Microsoft Exchange servers compromised by Turla APT

Turla has been targeting defense sector organizations in Ukraine and Eastern Europe with DeliveryCheck and Kazuar backdoors / infostealers and has been using compromised Microsoft Exchange servers to control them.

Turla APT

Turla (aka Secret Blizzard, Snake, UAC-0003) is a sophisticated and persistent APT group that has been active for over 10 years and is believed to be sponsored by the Russian state.

The group is linked to many cyberattacks targeting government and military organizations, as well as cyberespionage campaigns against other organizations that have information the Russian government might find useful.

The attack

This latest round of publicized attacks started with emails from (likely compromised) UKR.NET email accounts, delivering documents with malicious macros and triggering the download of the DeliveryCheck (CAPIBAR, GAMEDAY) backdoor malware.

The CAPIBAR malware attack chain (Source: CERT-UA)

The malware connects to the C2 server to retrieve its “orders”, which may include file exfiltration via open-source tools such as rclone and, in some cases, the download and deployment of an additional backdoor dubbed Kazuar.

Microsoft says Kazuar is a “fully-featured implant”. According to CERT-UA (Computer Emergency Response Team of Ukraine) Kazuar can implement more than 40 functions that allow it to, among other things, collect data from OS logs, steal authentication data (passwords, bookmarks, autofill, history, proxies, cookies, etc.) and databases/configuration files of applications such as KeePass, Azure, Gcloud, AWS, BlueMix and others.

“The threat actor specifically aims to exfiltrate files containing messages from the popular Signal Desktop messaging application, which would allow the actor to read private Signal conversations, as well as documents, images, and archive files on targeted systems,” Microsoft noted.

Turla uses compromised Microsoft Exchange servers

Turla also used Desired State Configuration (DSC) – a PowerShell feature that allows administrators to automate the configuration of Linux and Windows – to install server-side components of the DeliveryCheck malware into Microsoft Exchange servers.

“DSC generates a managed object format (MOF) file containing a PowerShell script that loads the embedded .NET payload into memory, effectively turning a legitimate server into a malware C2 center,” Microsoft explained.