Russian APT Using Dropbox Based Malware
As ESET researchers reported, a new backdoor malware named Crutch was used by Russian APT Turla to steal sensitive documents in their campaigns. Turla group is also known as Waterbug and Venomous Bear in some reports and has origin dating back to 1996, hacking and stealing data from thousands of companies since then. Now, it’s reported to be using Crutch, which has been undocumented until this year but used by Turla since 2015 for attacking agencies like the Ministry of Foreign Affairs of European Union countries. Crutch stands out with its special ability to use the legitimate service – Dropbox for its purposes.
It’s crafted for mixing up its communications in Dropbox’s legitimate traffic, which is done over HTTPS, thus not suspected by malware detecting softwares. It can also store and exfiltrate the stolen data from victims in the Dropbox account handled by malware operators. The Crutch is a second-stage backdoor malware used by the Turla group, as researchers found links between the two groups’ mechanism. Using the RC4 key for decrypting payloads to the same filenames and almost similar PDB paths is why researchers linked this to Turla. The Crutch is deployed after using the Skipper like malware in the initial compromising attacks, with many open-source tools like PowerShell Empire tools. Researchers also spotted a new version of this malware capable of uploading files automatically from local and removable drives to its Dropbox account, using the Windows Wget utility.