Security News > 2020 > December > Russian hacking group uses Dropbox to store malware-stolen data
Russian-backed hacking group Turla has used a previously undocumented malware toolset to deploy backdoors and steal sensitive documents in targeted cyber-espionage campaigns directed at high-profile targets such as the Ministry of Foreign Affairs of a European Union country.
Turla's Crutch malware was designed to help harvest and exfiltrate sensitive documents and various other files of interest to Dropbox accounts controlled by the Russian hacking group.
ESET researchers were able to link Crutch to the Russian Turla advanced persistent threat group based on similarities with the second-stage Gazer backdoor the threat actors used between 2016 and 2017.
The use of the same RC4 key for decrypting payloads, identical filenames while being dropped on the same compromised machine in September 2017, and almost identical PDB paths are just a few of the strong links between the two observed by ESET. "Given these elements and that Turla malware families are not known to be shared among different groups, we believe that Crutch is a malware family that is part of the Turla arsenal," Faou added.
Based on the timestamps of over 500 ZIP archives containing stolen documents and uploaded to Turla's Dropbox accounts between October 2018 and July 2019, the working hours of Crutch's operators line up with the Russian UTC+3 time zone.
News URL
Related news
- Russian Espionage Group Targets Ukrainian Military with Malware via Telegram (source)
- Russian charged by U.S. for creating RedLine infostealer malware (source)
- Uncle Sam outs a Russian accused of developing Redline infostealing malware (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia (source)