A cyber espionage campaign is targeting the foreign ministry of a country in the European Union with the aid of a previously undocumented form of malware which provides a secret backdoor onto compromised Windows systems.
Uncovered by cybersecurity researchers at ESET[1], the tools are designed to steal sensitive documents and other files by secretly exfiltrating them via Dropbox accounts controlled by the attackers.
Dubbed Crutch by its developers, this malware[2] campaign has been active from 2015 through to 2020 and researchers have linked it to the Turla hacking group, due to similarities with previously uncovered Turla campaigns such as Gazer[3]. The working hours of the group also coincide with UTC+3, the timezone which Moscow sits in. The UK's National Cyber Security Centre (NCSC) is among those which has attributed Turla[4] – also known as Waterbug and Venomous Bear – to Russia.
The newly detailed Crutch campaign appears tailored towards very specific targets with the aim of stealing sensitive documents. ESET hasn't revealed any specifics about the target, aside from that it was a ministry of foreign affairs in an EU country. This targeting fits in with previous Turla campaigns[5].
SEE: Cybersecurity: Let's get tactical[6] (ZDNet/TechRepublic special feature) | Download the free PDF version[7] (TechRepublic)
However, Crutch isn't a first-stage payload and is only deployed after cyber attackers have already compromised the target network – something which similar campaigns to this have achieved by using specially crafted spear-phishing attacks[8].
Once Crutch is installed as a backdoor on the target system it communicates with a hardcoded Dropbox account which it uses to retrieve files while remaining under the radar because Dropbox is able to blend into normal network