Open Mon - Sat 08:00-16:00
Email info@royaltrendia.com Call Now! +254-736-951-730
Open Mon - Sat 08:00-16:00
Email info@royaltrendia.com Call Now! +254-736-951-730
Turla targets diplomats in Eastern Europe using fake Adobe Flash Player installers, Is it safe to get Adobe Flash Player?, Is there an Adobe Flash Player virus?, Is it safe to use Adobe Flash?, Can I delete the Adobe Flash Player installer?
SHARE THIS

ESET, a global leader in information security, has identified and analyzed new malware used by Turla – the notorious state-sponsored cyberespionage group – to target high-value political organizations in Eastern Europe. This new tool, ESET reveals, attempts to trick victims into installing malware from what appears to be Adobe’s website, with the goal of extracting sensitive information from Turla‘s targets.

While the Turla group has relied on fake Flash installers to dupe users to install one of their backdoors in the past, this is the first time that the malicious program is downloaded from legitimate Adobe URLs and IP addresses. ESETis confident, however, that Turla’s malware has not compromised any legitimate Flash Player updates, nor is it associated with any known Adobe product vulnerabilities.

Analysis of Adobe Flash abuse

Having monitored the Turla group closely for many years,ESETfound that this new malware is not only packaged with a legitimate Flash Player installer but also appears to be from adobe.com. From the endpoint’s perspective, the remote IP address belongs to Akamai, the official Content Delivery Network (CDN) used by Adobe to distribute their legitimate Flash installer.

However, on closer inspection, ESET was able to see that the fake Flash installers were performing a GET request to extract sensitive information from the newly compromised systems. ESET telemetry can reveal that Turla installers have been exfiltrating information to get.adobe.com URLs since at least July 2016. Using legitimate domains for data exfiltration makes its detection in network traffic much harder for defenders, whichhighlightsthe Turla group‘sdesire to remain as stealthy as possible.

See also  Cyber Attack Exposes Clients' Emails At Deloitte

Turla operators have many sophisticated ways of tricking users into downloading seemingly authentic software, and are clever inhow they hide their malicious traffic,” said Jean-Ian Boutin, senior malware researcher at ESET. “Even the most experienced users could be fooled into downloading a malicious file that looks as though it is from Adobe.com, since the URL and IP address mimics Adobe’s legitimate infrastructure. As all the downloads we saw were done over HTTP, we advise organizations to forbid the download of executable files over an unencrypted connection. This would significantly reduce the effectiveness of Turla’s attacks, as it is harder to intercept and modify encrypted traffic on the path between a machine and a remote server. Secondly, checking the file signature should confirm whether something suspicious is happeninggiven that these malicious files are not signed and installers from Adobe are. Taking such steps should help users avoid falling victim to Turla’s latest campaign.”

Evidence of Turla involvement

ESET can be certain that this campaign is attributed to the Turla group for a number of reasons. First, some fake Flash installers drop a backdoor referred to as Mosquito, which has already been detected as Turla malware. Second, some of the Command and Control (C&C) servers linked to the dropped backdoors are using SATCOM IP addresses previously associated with Turla. Lastly, this malware shares similarities with other malware families used by the Turla group.

To read more about ESET’s analysis of Turla’s new malware, please click here.

Facebook Comments

SHARE THIS
About the author

Daniel Maithya is the Founder and CEO of RoyalTrendia. He is the 2019 Top 100 Most Influential Young Kenyans according to Avance Media, FOYA East Africa Social Founder of the year 2020 award winner and a Digital Media Strategist. Cell: 0705 921 599 | danielmaithya@gmail.com

Leave a Reply

× Chat