Turla hacking group updated Neuron malware to attack UK organizations

Organizations in the UK are warned about possible Neuron malware attacks

The United Kingdom's National Cyber Security Centre (NCSC) warned^[1] that infamous hacking group called Turla is back and tries to steal sensitive data from military, technology, energy, government and commercial organizations of the United Kingdom.

This hacking group, which is linked with Russia, is known at least since 2007.^[2] They have already launched several massive attacks against organizations in Europe and the United States. According to the NCSC, this time criminals use an updated version of malware which targets mail and web servers in Windows OS.

According to the latest information, criminals continue using Neuron and Nautilus malware in conjunction with the Snake rootkit. This attack mechanism allows getting network access of the compromised systems and stealing sensitive information. However, researchers report about some changes and updates to malware.

Turla updated Neuron malware to avoid detection

Neuron and Nautilus malware has been used in the previous attacks launched by Turla group. However, criminals updated malicious programs as soon as the reports about possible malware attacks were made public in November 2017.^[3] Criminals needed only five days to improve their malicious program.

According to NCSC analysis, malware became harder to detect. Thus, criminals updated it in order to bypass previous detection methods that organizations were warned about.

One of the most important modifications were made to malware payload. It is still executed on the targeted system from the .NET file. However, due to the changes, antivirus programs are unable to detect it.

Previously malware relied on RC4 encryption. However, it was replaced with AES cryptography. Communications between malware clients and servers were altered too. It is assumed all these changes were made to evade antivirus detection.

Therefore, The United Kingdom's National Cyber Security Centre recommends organizations to strengthen their security level and make sure that the updated version of malware cannot compromise their networks.

Turla group actively targets organizations in post-Soviet countries too

Researchers from ESET also report about other new Turla hacking group’s activities in 2018.^[4] Attackers were spotted targeting embassies and consulates in the post-Soviet countries. Here criminals use social engineering to trick victims into installing fake Adobe Flash Player.

However, if people execute a fake Flash Player installer, they also download a backdoor malware on the system. Researchers assume that it might be a Mosquito malware^[5] which can get full access to the targeted device and track every victim’s step on the system.

The success of this attack hides under sophisticated social engineering technique. Attackers made victims believe that they are downloading a legitimate program from the adobe.com. However, it’s just a trickery created by cyber criminals who found a way to use legitimate URLs and IP address of Adobe. However, researchers claim that criminals did not compromise Adobe’s website and hadn’t used any of possible vulnerabilities to launch the attack.

Security experts recommend organization workers to remain vigilant and do not rush into downloading any programs or their updates without consulting IT department first.