The UK’s National Cyber Security Centre (NCSC) has warned organizations about a new take on a known threat from Turla, a hacking group that's been active for several years and thought to be funded by the Kremlin.
Kaspersky Lab in 2014 detailed Turla's "epic" 10 month hacking spree across 45 countries, chiefly targeting European government and intelligence agencies, embassies, military, research organizations and drug firms.
Turla is still active and on the UK's radar. The NCSC, a unit of Britain’s spy agency GCHQ, published its first report on Turla's twin espionage tools -- Neuron and Nautilus -- in November.
"The NCSC has observed these tools being used by the Turla group to maintain persistent network access and to conduct network operations," it said at the time.
The two tools are installed on Windows PCs, Exchange email servers and IIS web servers following an initial infection with a rootkit called Snake.
The exposure NCSC gave to the tools in its initial report either disrupted Turla's espionage activity or threatened it work enough to warrant Turla engineers redesigning Neuron to better evade detection.
NCSC published its follow up Neuron report on Thursday after discovering a new version, dubbed "Neuron2", that was created just five days after Neuron's exposure in November.
Neuron2 was modified to dodge signatures and indicators of compromise outlined in the November report. One of the key changes is that Neuron now delivered an in-memory payload — or fileless malware — rather than the former method of writing the payload to disk, which was easier to detect.
NCSC described Turla as experienced at maintaining covert access through incident response activities.
“They infect multiple systems within target networks and deploy a diverse range of tools to ensure that they retain a foothold back onto a victim even after the initial infection vector has been mitigated,” NCSC observed.
Neuron consists of a service installed on a compromised web server, and a client on an infected PC that extracts information and hands it to the service for exfiltration. The Neuron service is installed by exploiting flaws in server software, while the client is typically installed via spear-phishing email using Word documents containing malicious macros.
Key changes in the modified version are primarily designed to make detection harder and include:
• The .NET payload is loaded in-memory as opposed to being dropped to disk;
• Communications have been modified to avoid detection;
• Some encryption methods have replaced RC4 with AES;
• The modifications are sufficient to avoid previously released signatures & IOCs.
The NCSC assessed that the new variant "contains sufficient modifications to frustrate detection, allowing Turla operations to continue.”
The in-memory modification most likely will allow it evade detection during antivirus disk scans, however NCSC reckons antivirus that scans memory will still likely be able to detect the payload running.
At the same time, NCSC notes the new version’s payload is "encrypted within the loader, which ensures the payload never touches disk in plaintext”.