Experts Find Russian ‘Crutch’ Malware Used in APT Attacks for 5 Years

Cyber ​​security researchers today unveiled a backdoor and hitherto undocumented document thief that were deployed against specific targets from 2015 to early 2020.

Codenamed “Crutch” by ESET researchers, the malware has been attributed to Turla (aka Venomous Bear or Snake), an advanced Russian-based hacker group known for their widespread attacks on governments, embassies and military organizations through various water points and launching phishing campaigns.

“These tools were designed to exfiltrate sensitive documents and other files to Dropbox accounts controlled by Turla operators,” the cybersecurity company said in an analysis shared with The Hacker News.

The backdoor implants have been secretly installed on several machines belonging to the Foreign Ministry in an anonymous country in the European Union.

Aside from identifying strong links between a sample of Crutch from 2016 and another second stage backdoor from Turla called Gazer, the latest malware in their diverse toolset shows that the group continues to focus on espionage and reconnaissance against high level targets.

Crutch comes either via the Skipper suite, a first-stage implant previously assigned to Turla, or a post-exploitation agent called PowerShell Empire, with two different versions of the malware spotted before and after mid-2019.

While the former included a backdoor that communicates with a hard-coded Dropbox account using the official HTTP API to receive commands and download results, the new variant (“Crutch v4”) bypasses configuration for a new feature that can Automatically upload files found on local and removable drives to Dropbox using the Windows Wget utility.

“The sophistication of the attacks and the technical details of the discovery further reinforce the perception that the Turla Group has considerable resources to exploit such a large and diverse arsenal,” said Matthieu Faou, researcher at ESET.

“Additionally, Crutch is able to bypass certain layers of security by abusing legitimate infrastructure – here, Dropbox – to blend in with normal network traffic while exfiltrating stolen documents and receiving orders from its operators.”