ESET researchers discover a new backdoor used by Turla to exfiltrate stolen documents to Dropbox
ESET researchers found a previously undocumented backdoor and document stealer. Dubbed Crutch by its developers, we were able to attribute it to the infamous Turla APT group. According to our research, it was used from 2015 to, at least, early 2020. We have seen Crutch on the network of a Ministry of Foreign Affairs in a country of the European Union, suggesting that this malware family is only used against very specific targets as is common for many Turla tools..
Turla is a cyberespionage group active for more than ten years. It has compromised many governments, especially diplomatic entities, all around the world, operating a large malware arsenal that we have described in the last years.
During our research, we were able to identify strong links between a Crutch dropper from 2016 and Gazer. The latter, also known as WhiteBear, was a second-stage backdoor used by Turla in 2016-2017. Our analysis is based on the Crutch dropper with SHA-1 A010D5449D29A1916827FDB443E3C84C405CB2A5 and the Gazer dropper with SHA-1 1AE4775EFF21FB59708E8C2B55967CD24840C8D9. We identified the following similarities:
Given these elements and that Turla malware families are not known to be shared among different groups, we believe that Crutch is a malware family that is part of the Turla arsenal.
Another interesting observation is the presence of FatDuke and Crutch at the same time on one machine. The former is a third-stage backdoor that we attributed to the Dukes/APT29 in our Operation Ghost report. However, we don’t have any evidence of interaction between these two malware families. It is possible that both groups independently compromised the same machine.
According to ESET LiveGrid® data, Turla used the Crutch toolset against several machines of the Ministry of Foreign Affairs in a country of the European Union. These tools were designed to exfiltrate sensitive documents and other files to Dropbox accounts Turla operators controlled.
We were able to capture some of the commands sent by the operators to several Crutch v3 instances, which is helpful to understand the goal of the operation. The operators were mainly doing reconnaissance, lateral movement and espionage.
The main malicious activity is the staging, compression and exfiltration of documents and various files, as shown in Figure 1. These are commands manually executed by the operators, thus not showing the automated collection of documents by the drive monitor component described in a later section. The exfiltration is performed by another backdoor command and thus not shown in the examples below.
Figure 1. Manual commands executed by the operators during the espionage phase
Finally, the operators have a certain sense of humor. At some point, they executed the following command:
In order to have a rough idea of the working hours of the operators, we exported the hours at which they uploaded ZIP files to the Dropbox accounts they operate. These ZIP files contain commands for the backdoor and are uploaded to Dropbox by the operators, asynchronously from the time at which the backdoor reads and executes their content. Thus, this should show when the operators are working and not when the victim’s machines are active.
We collected 506 different timestamps and they range from October 2018 to July 2019. They are plotted in Figure 2.
Figure 2. Working hours of Crutch operators based on the uploads to Dropbox
Given the graph, the operators are likely to operate in the UTC+3 time zone.
We believe that Crutch is not a first-stage backdoor and is deployed after the operators have already compromised an organization’s network.
The first method consists in using a first-stage implant such as Skipper. In 2017, we saw Crutch being deployed a few months after the computer was compromised by Skipper. Then, the malware operators also compromised other machines on the local network by moving laterally.
The second method we have witnessed is the use of PowerShell Empire. We were not able to uncover how the malicious script arrived on the machine, but we believe it was through another implant although a phishing document cannot be excluded. It should be noted that the PowerShell Empire scripts were using OneDrive and Dropbox.
From 2015 to mid-2019, the malware architecture used a backdoor communicating with Dropbox and a drive monitor without network capabilities.
Figure 3 outlines the architecture of Crutch version 3. It includes a backdoor that communicates with a hardcoded Dropbox account using the official HTTP API. It can execute basic commands such as reading and writing files or executing additional processes. It persists via DLL hijacking on Chrome, Firefox or OneDrive. In some variants, we noticed the presence of recovery C&C channels using either GitHub or a regular domain.
The second main binary is a removable-drive monitor that searches for files that have an interesting extension (.pdf, .rtf, .doc, .docx). It then stages the files in an encrypted archive.
Figure 3. Architecture of Crutch v3
In July 2019, we found a new version of Crutch. While we don’t have the developer’s version number, we believe it has evolved enough to qualify as version 4. This new version is an updated version of the removable-drive monitor with networking capabilities.
Figure 4 shows the architecture of Crutch v4. The main difference is that it no longer supports backdoor commands. On the other hand, it can automatically upload the files found on local and removable drives to Dropbox storage by using the Windows version of the Wget utility.
Figure 4. Architecture of Crutch v4
The working directory of this v4 is C:Intel where the following components are found:
As does Crutch v3, it persists using DLL hijacking. However, in this case the host application is an old Microsoft Outlook component that is dropped on the compromised system by the operators.
In the past few years, we have publicly documented multiple malware families operated by Turla. Crutch shows that the group is not short of new or currently undocumented backdoors. This discovery further strengthens the perception that the Turla group has considerable resources to operate such a large and diverse arsenal.
Crutch is able to bypass some security layers by abusing legitimate infrastructure – here Dropbox – in order to blend into normal network traffic while exfiltrating stolen documents and receiving commands from its operators.
Indicators of Compromise can also be found on GitHub. For any inquiries, or to make sample submissions related to the subject, contact us at: email@example.com.
Note: This table was built using version 7 of the MITRE ATT&CK framework.