Extremely stealthy malware – Controlled by your emails
A long list of government foreign offices are the most recent victims in a cleverly crafted backdoor, allowing malware to be controlled by PDFs sent via email to an infected machine to gain control of confidential government information.
What is the threat?
An advanced persistent threat group by the name of Turla, have crafted a malware that uses COM Object hacking to tamper the Windows Registry system, allowing itself to run in stealth every time Outlook is opened.
The malware constantly monitors all incoming & outgoing emails and crafts a log of activity and information into a crafted PDF which is then sent to the Turla operator.
According to ESET, the malware code suggests a basic version of the email backdoor was created in 2009, which originally could only dump email files, and has since been adapted to increase its level of stealth and capabilities.
How does it work?
As the malware scans emails for information to log, it also constantly scans attached PDFs for new commands sent by the operator.
Due to the nature of the malware, these specially crafted emails may never reach the users’ inbox as the malware will be commanded to delete the email upon receival, and are generally sent during business hours to maintain its level of stealth and mask unusual behaviours.
How is this different from other malware?
Usually, Malware is controlled using command and control servers, also referred to as C2.
The downfall for hackers using this method, is as soon as the C2 address is blocked the hacker loses control of the malware.
Whereas, with the PDF controlled variant, the operator is able to regain control by sending a specially crafted PDF with a new C2 address from any rogue email.
What is the current threat?
In its current stage, there is no direct threat to regular businesses, and individuals as Turla focus their efforts on government bodies and contractors to gain invaluable political information and operations.
Now the threat is publicly addressed, copycat malware is likely to be produced due to its level of stealth, and ability to regain control through coded PDF via an email; meaning businesses will need to carefully monitor email activity for unusual behaviours.
How can you protect yourself from the Threat?
The best level of protection is to take the necessary actions to prevent an infection in the first place.
- Use virtual machines on PCs – allowing staff to boot a new uninfected image on each start-up.
- Real-time protection to block an initial infection with active security software on devices, and across the network.
- Maintaining software, system, security, and network updates to ensure your systems aren’t vulnerable to old backdoors.
As rogue emails use the enterprise exchange server, they do not have to worry about dealing with firewalls; meaning in its current stage to find an infected machine, all email activity needs to be monitored for unusual behaviour to identify a possible infection.
Contact us for a FREE 27-point network and cybersecurity risk assessment. One of our senior technicians will evaluate your network for potential vulnerabilities, providing you with a full report with recommendations if any risks & potential areas of improvement are found.