ESET’s security experts have found a new malware that Russian cyber-espionage group Turla has been using in carrying out attacks against governments.

Turla, which has been active since at least 2006, was recently seen targeting a European government with a combination of backdoors.

Called Crutch, the lately recognized backdoor too was found on the network of a Ministry of Foreign Affairs, in a European Union country. As per ESET, the malware might be used only against very precise targets, a common feature for many Turla tools.

The Crutch backdoor seems to have been in use since 2015, until at least early 2020. ESET was able to find a link between a 2016 dropper for this malware and Gazer (WhiteBear), a second-stage backdoor that the cyber-espionage group was using in 2016-2017.

“Given these elements and that Turla malware families are not known to be shared among different groups, we believe that Crutch is a malware family that is part of the Turla arsenal,” ESET says.

The security investigators also revealed that both Crutch and FatDuke were present on the same machine simultaneously, but did not find evidence of interaction between the two malware families.

The operators seem to have been attentive on executing reconnaissance, some of the commands they sent to the malware suggest. The investigators observed staging, compression, and exfiltration of data, with all operations performed based on manually performed commands.

“In the past few years, we have publicly documented multiple malware families operated by Turla. Crutch shows that the group is not short of new or currently undocumented backdoors. This discovery further strengthens the perception that the Turla group has considerable resources to operate such a large and diverse arsenal,” ESET concludes.

Leave a Reply

Your email address will not be published. Required fields are marked *