Microsoft and the Ukrainian CERT issued a warning about Russian state hacking group Turla launching new attacks. The targets include the defense industry and Microsoft Exchange servers, exploiting a new “DeliveryCheck” malware backdoor.
The Turla threat actor, known by various names like Secret Blizzard, KRYPTON, and UAC-0003, is an advanced persistent threat (APT) group believed to be connected to Russia’s Federal Security Service (FSB).
They have been involved in multiple cyberattacks against Western interests, including the Snake cyber espionage malware, which was disrupted in “Operation MEDUSA.”
CERT-UA and Microsoft jointly published a report and Twitter thread today, revealing a new attack by the Turla threat actors aimed at the defense sector in Ukraine and Eastern Europe.
The attack starts with a phishing email having a harmful Excel XLSM file. When opened, it runs malicious macros, leading to the download of the DeliveryCheck backdoor and connecting to the threat actor’s control server for more instructions or new malware.
The threat actors used the backdoor to infiltrate the devices and extract data using the Rclone tool.DeliveryCheck stands out due to its server-side component on Microsoft Exchange servers, converting them into command and control servers for the threat actors.
Microsoft states that this component is installed using Desired State Configuration (DSC), a PowerShell module used by administrators to create a standard server configuration and apply it to multiple devices automatically.
The DSC function is typically employed to create a default configuration template, which enables automated configuration of multiple devices with the same settings.
The threat actors utilize DSC to load a base64-encoded Windows executable, transforming the legitimate Exchange server into a malware distribution server.
It can obtain authentication tokens, cookies, and credentials from browsers, FTP programs, VPN software, KeePass, Azure, AWS, and Outlook.