Turla's New DeliveryCheck Backdoor Breaches Ukrainian Defense Sector

2023-07-20 09:40

The defense sector in Ukraine and Eastern Europe has been targeted by a novel.

NET-based backdoor called DeliveryCheck that's capable of delivering next-stage payloads.

The Microsoft threat intelligence team, in collaboration with the Computer Emergency Response Team of Ukraine, attributed the attacks to a Russian nation-state actor known as Turla, which is also tracked under the names Iron Hunter, Secret Blizzard, Uroburos, Venomous Bear, and Waterbug.

Successful initial access is also accompanied in some cases by the distribution of a known Turla implant dubbed Kazuar, which is equipped to steal application configuration files, event logs, and a wide range of data from web browsers.

A noteworthy aspect of DeliveryCheck is its ability to breach Microsoft Exchange servers to install a server-side component using PowerShell Desired State Configuration, a PowerShell management platform that helps administrators to automate the configuration of Windows systems.

"DSC generates a Managed Object Format file containing a PowerShell script that loads the embedded.NET payload into memory, effectively turning a legitimate server into a malware C2 center," Microsoft explained.

News URL

https://thehackernews.com/2023/07/turlas-new-deliverycheck-backdoor.html

#backdoor #breaches #defense #turla #ukrainian