Its security researchers ESET, are conducting research on PowerShell scripts used in recent attacks by a Russian hacking team, Turla.
The main goals of the group are various diplomatic organizations, such as the US and French military and the German Foreign Ministry, as well as entities in the Middle East.
The team, also known as Snake, Waterbug, KRYPTON and Venomous Bear, has recently launched PowerShell scripts to load and run malware in an attempt to bypass the crawl. According to Eset researchers, while the team used a loader based on Posh-SecMod, it has now refined its PowerShell script.
The team's PowerShell loader was designed to achieve persistence, decrypt the code, and load the embedded executable file or library into memory. For that reason, Turla uses Windows Management Instrumentation (WMI) or change the PowerShell profile.
The first method is based on creating two WMI event filters and two WMI event users to launch PowerShell commands and load a script that is stored in the Windows registry. The second method involves changing the PowerShell profile, which is a script that runs when PowerShell is started and results in a PowerShell command similar to that used in WMI users.
The researchers also discovered some samples from March of 2019, which have been modified to bypass the Antimalware Scan Interface (AMSI), an interface that allows Windows applications to be integrated with the installed antimalware.
ESET has revealed that hackers used PowerShell scripts to load payloads, including a RPC backdoor and a PowerShell backdoor.
The Turla team is known for using backdoors, which are based on the RPC protocol. Backdoors allow the team to gain control of other machines on the local network even when there is no external C&C server.
By using RPC backdoor, hackers can load and download files and execute commands using cmd.exe or PowerShell. The backdoor is split into two parts and features a client that allows hackers to execute commands on systems where a server is installed.
One of the PowerShell backdoors developed by the Turla team is PowerStallion. It is a lightweight tool that uses Microsoft's online storage service, OneDrive, as a C&C server. It also takes advantage of the free email service, GMX.
According to ESET, malware is used as a retrieval tool. That is, hackers use it, in case the main backdoors, such as Carbon or Gazer, are removed and there is no longer access to infected computers.
Turla can now use open-source tools, but that does not mean it has stopped using its custom tools. In fact, the payloads, loaded from PowerShell scripts, as well as RPC backdoor and PowerStallion, belong to the second category of tools.
ESET said the Turla team will continue to concern us for a long time since it is constantly developing new and complex malware.