Pelmeni Wrapper: Another Tool in Turla's Arsenal

Research conducted by Lab52 has revealed a new Turla campaign employing innovative strategies alongside a tailored version of the Kazuar trojan. Their analysis delves into the technical aspects of the campaign's approach and furnishes indicators of compromise (IOCs) to enhance defensive strategies.

Turla, a cyber espionage group believed to have ties to the Russian FSB, is renowned for its precise targeting and sustained operational tempo. Operating since at least 2004, Turla primarily targets government bodies, research establishments, embassies, as well as industries spanning energy, telecommunications, and pharmaceuticals globally.

The campaign in question illustrates Turla's emphasis on precise targeting. It is likely initiated through prior infections, with a malicious DLL concealed within seemingly legitimate libraries (such as SkyTel, NVIDIA, etc.). Referred to as the 'Pelmeni Wrapper', this DLL initiates the next stage payload.

The Pelmeni Wrapper incorporates the following functionalities:

Operational Logging: Generates a concealed log file with randomized names and extensions to monitor campaign activities.
Payload Delivery: Utilizes a customized decryption technique leveraging a pseudorandom number generator to facilitate function loading and execution.
Execution Flow Redirection: Manipulates process threads and inserts code to redirect execution to a decrypted .NET assembly housing the core malware.

The pinnacle of Turla's intricate strategy culminates with the deployment of Kazuar, a versatile trojan horse that has been a mainstay in Turla's arsenal since its discovery in 2017. Lab52's analysis highlights subtle yet noteworthy advancements in Kazuar's deployment, including a new data exfiltration protocol and alterations in the logging directory—variations that distinguish this sample from its predecessors.

The extracted .NET assembly represents a modified version of the Kazuar trojan. Key discrepancies compared to previously analyzed iterations include:

Expanded Exfiltration Protocol: Incorporation of socket-based exfiltration enhances the malware's adaptability in communication.
Modified Log Storage: A relocation of the log directory indicates customization specific to this campaign.

This research provides insights into Turla's evolving tactics and their continued utilization of the Kazuar trojan. As advanced persistent threats (APTs) evolve, comprehending their methodologies remains imperative for proactive defense. Through the integration of threat intelligence and sustained vigilance, organizations can mitigate the risks posed by this sophisticated threat actor.