The email gz attachment contains an exe. This, if opened, triggers the malware infection. Stolen data is exfiltrated via Telegram.
ESET: The Russian Turla cyber spies change tactics and begin to incorporate open-source tools. This is confirmed by the Mosquito campaign against embassies in Eastern Europe
The russian cyber spies Turla (alias Uroboros) change tactics and start incorporating open-source tools. It has been discovere by cyber security experts of ESET. The malicioius hackers, starting March 2018, have leveraged the open source exploitation framework Metasploit before dropping the custom Mosquito backdoor (their campaign has the same name). In the past they used onw tools as Skipper. The targets are still embassies and consulates in Eastern Europe, but the TTP have changed. “The Turla’s campaign still relies on a fake Flash installer but, instead of directly dropping the two malicious DLLs, it executes a Metasploit shellcode and drops, or downloads from Google Drive, a legitimate Flash installer.” ESET wrote on a post. “Then, the shellcode downloads a Meterpreter, which is a typical Metasploit payload, allowing the attacker to control the compromised machine. Finally, the machine may receive the typical Mosquito backdoor”.
The hackers of Turla carry out actions of cyber warfare (especially cyber espionage) at least since 2008, when they attacked the US Department of Defense
The Russian hackers of Turla have risen in the limelight when in 2008 they launched a series of cyber attacks against the US Department of Defense. On that occasion the cyber spies managed to put a USB pendrive in a laptop at an American base in the Middle East to infect the military network. At the time it was not known who were the perpetrators of the cyber-attack, but an involvement of subjects linked to Moscow was already suspected. So much so that Deputy Secretary of Defense William J. Lynn Third called cyber aggression with malware “A digital bridgehead, from which data could be transferred to servers under foreign control”. Then the group targeted other high value victims as defense companies and governments and finally diplomatic offices in Eastern Europe. Always for cyber warfare actions (cyber espionage above all).