Evolving Malware Attacks: The DeliveryCheck Backdoor
A recent cyber espionage campaign by the Russian state-sponsored Turla hacking group, also known as Secret Blizzard, KRYPTON, and UAC-0003, targets the defence industry and Microsoft Exchange servers with a sophisticated malware backdoor called 'DeliveryCheck'. The group is believed to be linked to Russia's Federal Security Service (FSB). This article outlines the attack flow, tactics used by the Turla threat actors, and the capabilities of the DeliveryCheck malware.
Attack Overview
The Turla threat actors have launched a coordinated attack targeting the defence sector in Ukraine and Eastern Europe. The attack starts with phishing emails containing Excel XLSM attachments that carry malicious macros. These macros execute a PowerShell command upon activation, creating a scheduled task that impersonates a Firefox browser updater. However, this task is designed to download the DeliveryCheck backdoor, also known as CapiBar and GAMEDAY, which is then executed in memory. The backdoor connects to the threat actor's command and control server, enabling the execution of further malware payloads.
DeliveryCheck Features
What sets DeliveryCheck apart is its Microsoft Exchange server-side component. This component is installed using Desired State Configuration (DSC), a PowerShell module used for standardizing server configurations. The threat actors leverage DSC to automatically load a base64-encoded Windows executable that transforms the legitimate Exchange server into a malware-distribution server, giving them command and control capabilities over it.
Malware Capabilities
Once the devices are infected, the Turla group utilizes DeliveryCheck to exfiltrate data using the Rclone tool. Additionally, during the attack, the Turla threat actors have been observed dropping the KAZUAR information-stealing backdoor, described as a "fully-featured Secret Blizzard implant." KAZUAR allows the threat actors to execute JavaScript on the infected devices and steal data from event logs, system files, and various applications, including browsers, FTP clients, VPN software, KeePass, Azure, AWS, and Outlook.
Of particular interest is the Turla group's focus on exfiltrating files containing messages from the Signal Desktop messaging application, potentially compromising private Signal conversations, along with other documents, images, and archive files on targeted systems.
Recommended Mitigation
Patch Management: Keep all Microsoft Exchange servers up to date with the latest security patches and updates. Regularly monitor and apply patches to address potential vulnerabilities.
Stay Informed: Avoid phishing emails, especially those containing Excel attachments with macros. Verify the legitimacy of email senders and refrain from executing macros from unknown sources.
In conclusion, the Turla hacking group's recent attack using the DeliveryCheck malware poses a significant threat to the defence industry and Microsoft Exchange servers in Ukraine and Eastern Europe. The sophisticated nature of the malware, along with the use of the Exchange server-side component, demonstrates the group's advanced capabilities and tactics. Organizations in the target regions should remain vigilant, implement recommended mitigation strategies, and work closely with cybersecurity experts to detect and respond to potential threats effectively. Additionally, sharing malware samples and relevant information with cybersecurity companies can aid in improving detection and response capabilities across the community.