Turla -> Stealthy Linux Trojan May Have Infected Victims For Years

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Stealthy Linux Trojan May Have Infected Victims For Years

Tuesday December 09, 2014

An anonymous reader writes: Researchers from Moscow-based Kaspersky Labs
have uncovered an extremely stealthy trojan for Linux systems that
attackers have been using to siphon sensitive data from governments and
pharmaceutical companies around the world.

The malware may have sat unnoticed on at least one victim computer for
years, although Kaspersky Lab researchers still have not confirmed that
suspicion. The trojan is able to run arbitrary commands even though it
requires no elevated system privileges.




Recently, an interesting malicious sample was uploaded to a
multi-scanner service. This immediately triggered our interest because
it appears to represent a previously unknown piece of a larger puzzle.
That puzzle is "Turla", one of the most complex APTs in the world.

We have written previously about the Turla APT with posts about their
Epic Turla operations  and Agent.btz inspiration . So far, every single
Turla sample we've encountered was designed for the Microsoft Windows
family, 32 and 64 bit operating systems. The newly discovered Turla
sample is unusual in the fact that it's the first Turla sample targeting
the Linux operating system that we have discovered.

This newly found Turla component supports Linux for broader system
support at victim sites. The attack tool takes us further into the set
alongside the Snake rootkit and components first associated with this
actor a couple years ago. We suspect that this component was running for
years at a victim site, but do not have concrete data to support that
statement just yet.

The Linux Turla module is a C/C++ executable statically linked against
multiple libraries, greatly increasing its file size. It was stripped of
symbol information, more likely intended to increase analysis effort
than to decrease file size. Its functionality includes hidden network
communications, arbitrary remote command execution, and remote
management. Much of its code is based on public sources.

Hardcoded C&C, known Turla activity: news-bbc.podzone[.]org

The domain has the following pDNS IP:

Note: the C&C domain is currently sinkholed by Kaspersky Lab.
Functional description

The sample is a stealth backdoor based on the cd00r sources.

This Turla cd00r-based malware maintains stealth without requiring
elevated privileges while running arbitrary remote commands. It can't be
discovered via netstat, a commonly used administrative tool. It uses
techniques that don't require root access, which allows it to be more
freely run on more victim hosts. Even if a regular user with limited
privileges launches it, it can continue to intercept incoming packets
and run incoming commands on the system.

Startup and Execution

To start execution, the process requires two parameters: ID (a numeric
value used as a part of the "magic packet for authentication") and an
existing network interface name. The parameters can be inputted two
different ways: from STDIN, or from dropper a launching the sample. This
is NOT a command-line parameter, it's a real prompt asking the attacker
user to provide the input parameters. After the ID and interface name
are entered and the process launched, the backdoor's process PID is
returned. Here is a screenshot of this simple interface:

While there is no initial network callback, a section of code maintains
a hardcoded c2 string "news-bbc.podzone[.]org". This fully qualified
domain name was first set up in 2010, suggesting that this binary is
fairly recent in the string of Turla campaigns. Also, while we haven't
seen additional file download activity from this server by this tool, it
likely participated as a file server of sorts.
Magic Packets for Remote Command Execution

The module statically links PCAP libraries, and uses this code to get a
raw socket, applies a filter on it, and captures packets, checking for a
specific condition (the *original cd00r first used this method, based on
ports and SYN-packets). This condition is expressed here (it is based on
the ID value input at startup by the attacker):
ID = 123 Filter = (tcp[8:4] & 0xe007ffff = 0xe003bebe) or (udp[12:4] &
0xe007ffff = 0xe003bebe) ID = 321 Filter = (tcp[8:4] & 0xe007ffff =
0x1bebe) or (udp[12:4] & 0xe007ffff = 0x1bebe)

In simple terms, it checks for an ACK number in the TCP header, or the
second byte from the UDP packet body.

If such a packet is received and the condition check is successful,
execution jumps to the packet payload contents, and it creates a regular
socket. The backdoor handles this socket as a file with read/write
operations. It's not the typical recv/send used in this code. It uses
this new socket to connect to the source address of the "magic packets".
Then it reports its own PID and IP to the remote address, and starts an
endless loop for receiving remote commands. When a command arrives, it
is executed with a "/bin/sh -c " script.

Further analysis of the sample's functionality will be updated here.


Although Linux variants from the Turla framework were known to exist, we
haven't seen any in the wild yet.

This specific module appears to have been put together from public
sources with some added functionality from the attackers. Some of the
malicious code appears to be inactive, perhaps leftovers from older
versions of the implant. Perhaps the most interesting part here is the
unusual command and control mechanism based on TCP/UDP packets, as well
as the C&C hostname which fits previously known Turla activity.

The discovery of this Turla module rises one big question: how many
other unknown Turla variants exist?

Update: Since the publishing of this blogpost, we have discovered
another Linux Turla module, which apparently represents a different
malware generation than the previously known samples:


The new sample was heuristically detected by our product due to
similarities with the previously discovered samples.

801,561 bytes    HEUR:Backdoor.Linux.Turla.gen

One particular comment:

cd00r is hardly new or sophisticated………… we’re talking about circa 2002
rootkit technology….. why all the excitement?

Site Timeline