Security News > 2023 > July > Microsoft Exchange servers compromised by Turla APT

Turla has been targeting defense sector organizations in Ukraine and Eastern Europe with DeliveryCheck and Kazuar backdoors / infostealers and has been using compromised Microsoft Exchange servers to control them.

Turla APT. Turla is a sophisticated and persistent APT group that has been active for over 10 years and is believed to be sponsored by the Russian state.

Microsoft says Kazuar is a "Fully-featured implant".

"The threat actor specifically aims to exfiltrate files containing messages from the popular Signal Desktop messaging application, which would allow the actor to read private Signal conversations, as well as documents, images, and archive files on targeted systems," Microsoft noted.

Turla also used Desired State Configuration - a PowerShell feature that allows administrators to automate the configuration of Linux and Windows - to install server-side components of the DeliveryCheck malware into Microsoft Exchange servers.

"DSC generates a managed object format file containing a PowerShell script that loads the embedded.NET payload into memory, effectively turning a legitimate server into a malware C2 center," Microsoft explained.

News URL

https://www.helpnetsecurity.com/2023/07/20/turla-compromised-microsoft-exchange/