Friday, January 15, 23:15
Home security Security researchers analyze PowerShell scripts used by Russian hackers

Security researchers analyze PowerShell scripts used by Russian hackers


Its security researchers ESET, are conducting research on PowerShell scripts used in recent attacks by a Russian hacking team, Turla.

The main goals of the group are various diplomatic organizations, such as the US and French military and the German Foreign Ministry, as well as entities in the Middle East.

The team, also known as Snake, Waterbug, KRYPTON and Venomous Bear, has recently launched PowerShell scripts to load and run malware in an attempt to bypass the crawl. According to Eset researchers, while the team used a loader based on Posh-SecMod, it has now refined its PowerShell script.

The team's PowerShell loader was designed to achieve persistence, decrypt the code, and load the embedded executable file or library into memory. For that reason, Turla uses Windows Management Instrumentation (WMI) or change the PowerShell profile.

The first method is based on creating two WMI event filters and two WMI event users to launch PowerShell commands and load a script that is stored in the Windows registry. The second method involves changing the PowerShell profile, which is a script that runs when PowerShell is started and results in a PowerShell command similar to that used in WMI users.

The researchers also discovered some samples from March of 2019, which have been modified to bypass the Antimalware Scan Interface (AMSI), an interface that allows Windows applications to be integrated with the installed antimalware.

ESET has revealed that hackers used PowerShell scripts to load payloads, including a RPC backdoor and a PowerShell backdoor.

The Turla team is known for using backdoors, which are based on the RPC protocol. Backdoors allow the team to gain control of other machines on the local network even when there is no external C&C server.

By using RPC backdoor, hackers can load and download files and execute commands using cmd.exe or PowerShell. The backdoor is split into two parts and features a client that allows hackers to execute commands on systems where a server is installed.

One of the PowerShell backdoors developed by the Turla team is PowerStallion. It is a lightweight tool that uses Microsoft's online storage service, OneDrive, as a C&C server. It also takes advantage of the free email service, GMX.

According to ESET, malware is used as a retrieval tool. That is, hackers use it, in case the main backdoors, such as Carbon or Gazer, are removed and there is no longer access to infected computers.

Turla can now use open-source tools, but that does not mean it has stopped using its custom tools. In fact, the payloads, loaded from PowerShell scripts, as well as RPC backdoor and PowerStallion, belong to the second category of tools.

ESET said the Turla team will continue to concern us for a long time since it is constantly developing new and complex malware.


Please enter your comment!
Please enter your name here

Absent Mia
Absent Mia
Being your self, in a world that constantly tries to change you, is your greatest achievement


Android: How to see which apps have access to your site

It's no secret that smartphone apps have access to many permissions - if you let them. It is important to make sure ...

Canon lets you take pictures from space

Instead of releasing new cameras for CES 2021, Canon is doing something different: It lets you take pictures from space ....

Wikipedia vs Big tech: Who fights misinformation?

As Election Day turned into US Election Week, Facebook, Twitter and YouTube were trying to prevent ...

Tesla: It is called to recall cars due to problematic screens

The touch screen in some Tesla cars seems to have a problem, which could ...

Ransomware is responsible for half of all data breaches in hospitals

Almost half of the data breaches committed in hospitals and the wider healthcare sector are due to ransomware attacks, ...

Astronomers have just found the oldest oversized black hole

A quasar was discovered in a dark corner of space - over 13,03 billion light-years away - and contains a ...

What are the best and most affordable 5G phones for 2021

The market will soon be flooded with mid-range 5G devices. Everything that happens will be really exciting: you will be able to ...

Verified Twitter accounts in a cryptocurrency scam with the name of Elon Musk violated!

Lately, hackers have been violating verified Twitter accounts in a cryptocurrency giveaway scam, in which the name of the CEO is used ...

Classiscam: Fraudsters "fake" brands and deceive users of European markets!

Dozens of criminal gangs publish fake ads in popular online markets, to attract unsuspecting users to "fraudulent" commercial sites or phishing ...

iOS 14.4: Displays a notification for repairs with non-genuine cameras

Starting with the iPhone 11, Apple has added a notification to iOS that tells the user when the device has a ...