The “Epic” operation serves as the first phase in a multi-stage infection of the Turla campaign

Turla, also known as Snake or Uroburos is one of the most sophisticated ongoing cyber-espionage campaigns. When the first research on Turla/Snake/Uroburos was published, it didn’t answer one major question: how do victims get infected? The latest Kaspersky Lab research on this operation reveals that Epic is the initial stage of the Turla victim infection mechanism.

The “Epic” project has been used since at least 2012, with the highest volume of activity observed in January-February 2014. Most recently, Kaspersky Lab detected this attack against one of its users on August 5, 2014.

Victims. Targets of “Epic” belong to the following categories: government entities (Ministry of Interior, Ministry of Trade and Commerce, Ministry of Foreign/External affairs, intelligence agencies), embassies, military, research and education organizations, and pharmaceutical companies.

Most of the victims are located in the Middle East and Europe, however, researchers observed victims in other regions as well, including in the USA. In total, Kaspersky Lab experts counted several hundred victim IPs distributed in more than 45 countries, with France at the top of the list.

The attack. Kaspersky Lab’s researchers discovered that the Epic Turla attackers use zero-day exploits, social engineering and watering hole techniques (websites of a high interest to the victims that have been compromised by the attackers and injected to serve malicious code) attacks to infect victims. For example, in total, Kaspersky Lab have observed more than 100 injected websites (watering holes). The choice of the websites reflects specific interest of attackers. For example, many of infected Spanish websites belong to local governments.

Whenever an unsuspecting user opens a maliciously-crafted PDF file on a vulnerable system, the machine will automatically get infected, allowing the attacker to gain immediate and full control over the target system.

Once the user becomes infected, the Epic backdoor immediately connects to the command-and-control (C&C) server to send a pack with the victim’s system information. When the system is compromised the attackers receive a brief summary of information from the victim, and based on that, they deliver a pre-configured batch files containing a series of commands for execution. In addition to these, the attackers upload custom lateral movement tools, which include a specific keylogger tool, a RAR archiver and standard utilities like DNS query tool from Microsoft.

Turla’s first stage. During the analysis, Kaspersky Lab researchers observed the attackers using the Epic malware to deploy a more sophisticated backdoor known as the “Cobra/Carbon system,” also named “Pfinet” by some anti-virus products. After some time, the attackers went further and used the Epic implant to update the “Carbon” configuration file with a different set of C&C servers. The unique knowledge to operate these two backdoors indicates a clear and direct connection between them.

“The configuration updates for the “Carbon system” system malware are interesting, because this is another project from the Turla actor. This indicates that we are dealing with a multi-stage infection that begins with Epic Turla. The Epic Turla is used to gain a foothold and validate the high profile victim. Ifthe victim is interesting, it gets upgraded to the full Turla Carbon system”, explains Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab. 

Turla big picture:

• Epic Turla / Tavdig: The early-stage infection mechanism.
• Cobra Carbon system/ Pfinet (+others): Intermediary upgrades and communication plugins.
• Snake / Uroburos: High-grade malware platform that includes a rootkit and virtual file systems.

Language usage. The attackers behind Turla are clearly not native English speakers. There are indications which provide a hint at the origin of the attackers. For instance, some of the backdoors have been compiled on a system with Russian language. Additionally, the internal name of one of the Epic backdoors is “Zagruzchik.dll”, which means “bootloader” or “load program” in Russian. Finally, the Epic mothership control panel sets the code page to 1251, which is used for Cyrillic characters.

Links with other threat actors. Possible connections with different cyber-espionage campaigns have been observed. In February 2014, Kaspersky Lab experts observed that the threat actor known as Miniduke were using the same web-shells to manage infected web servers as the Epic team did.

To learn more about the “Epic Turla” operation, please read the blog post available at Securelist.com.

About Kaspersky Lab

Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 17-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more atwww.kaspersky.com.