News / Threat Reports

NEW: Turla APT in ongoing campaign

Turla APT is targeting UK servers with malicious tools and Snake malware in an ongoing campaign

  • The NCSC has reported on a Turla (aka WhiteBear) campaign using Neuron, Nautilus and Snake rootkit infections in an ongoing, targeted intelligence gathering operation against UK infrastructure. The targets include government, military, technology, energy and commercial organisations.
  • Distributed via a spear-phishing campaign, Neuron is composed of client and server components, which are written using .NET with codebase overlaps. The Neuron client infects victim endpoints and steals sensitive data from local client machines. The Neuron server infects network infrastructure and acts as a local C&C for the client component. 
  • The Neuron service creates its own HTTP listener and waits for requests to a configured Neuron URL endpoint, which masquerades as legitimate web services such as Microsoft Exchange and Microsoft IIS.
  • The main Nautilus payload is encrypted within a covert store on disk. Nautilus listens for client HTTP requests in order to process tasking requests, including command execution, file-deleting and file-writing to disk.

As coverage continues, Silobreaker users can easily set up a dashboard to automatically collect, alert, analyse, monitor and visualise mentions of Turla APT from hundreds of thousands of open sources in real time.

 

Screenshot 1 – Silobreaker Time Series – Monitoring mentions and developments of “Turla APT” and “Snake Malware” over time.

 

Screenshot 2 – Silobreaker Network – Real-time link analysis leveraging unstructured open source data to detect relationships between various entities. This link analysis gives timely and intuitive insights into the associations surrounding Turla APT including related malware, IOCs, command & control infrastructure, affected countries and affected products.

 

Screenshot 3 – Silobreaker Dashboard automatically collecting and contextualising data in relation to Turla APT as and when it’s published. This is a great way to keep on top of developments whilst allowing Silobreaker’s analytical tools to make sense of the data via simple-to-disseminate visualisations, trends, link analyses and highlighting of specific entities such as IOCs.

To see further analysis of the Turla APT and other cyber threats to your organisation in Silobreaker, book an online demo today.

 


Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.

More News

  • Silobreaker Daily Cyber Digest – 22 June 2018

      Malware New GZipDe Malware drops Metasploit backdoor GZipDe is a new malware strain discovered by AlienVault that has recently been used in a...
  • Silobreaker Daily Cyber Digest – 21 June 2018

      Malware Mylobot leverages new evasion techniques Mylobot can shut down Windows Defender and Windows Update, block ports on the firewall, and close and...
  • Silobreaker Daily Cyber Digest – 20 June 2018

      Malware Thrip APT target satellite comms, telecom operators and defence firms Symantec spotted the hacker group Thrip APT, using the Microsoft Sysinternals tool...
View all News

Request a demo

Get in touch