ESET researchers have found a watering hole operation targeting several high-profile Armenian websites. It relies on a social engineering trick — a fake Adobe Flash update — as a lure to deliver two previously undocumented pieces of malware. In this specific operation, Turla has compromised at least four Armenian websites, including two belonging to the government. Thus, it is likely the targets include government officials and politicians.
Turla is an infamous cyberespionage group that has been active for more than 10 years. Its main targets are government and military organizations. This recent operation bears similarities to the modus operandi of several of Turla’s watering hole campaigns in the past.
ESET Research has indications that these websites had been compromised since at least the beginning of 2019. We notified the Armenian national CERT and shared our analysis with them before publication.
“A fake Adobe Flash update pop-up window warning to the user is displayed in order to trick them into downloading a malicious Flash installer. The compromise attempt relies solely on this social engineering trick,” said Faou.
Interestingly, in this latest campaign, Turla utilizes a completely new backdoor dubbed PyFlash. ESET believes this is the first time the Turla developers have used the Python language in a backdoor. The command and control server sends backdoor commands that include downloading files, executing Windows commands, and launching or uninstalling malware. “The final payload has changed, probably in order to evade detection,” said Faou.
For more details about the latest Turla campaign, read the blogpost “Tracking Turla: New backdoor delivered via Armenian watering holes” on WeLiveSecurity.com. Make sure to follow ESET research on Twitter for the latest news from ESET Research.
ESET and ProfiBusiness.world
March 19, 2020