Analyzing the Newest Turla Backdoor
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
The Russian APT group Turla has launched a new campaign using shortcut files to infect systems with a fileless backdoor. The malware employs evasion techniques such as disabling ETW and AMSI, and unhooking. The attack begins with a shortcut file mimicking a PDF, which creates a file executed using MSBuild. The final payload is a fileless backdoor obfuscated with SmartAssembly. The backdoor implements custom commands for file creation and PowerShell script execution. It communicates with the C2 server using encrypted and encoded data. The analysis reveals sophisticated techniques to avoid detection, including DLL mapping to bypass hooks and patching of ETW and AMSI-related functions.
OPENCTI LABELS :
apt,backdoor
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Analyzing the Newest Turla Backdoor