Researchers have discovered a stealthy form of malware that hackers may have used in a massive campaign of cyber-espionage discovered earlier this year.
Kaspersky Lab recently published its findings on the ‘Penguin’ Turla, which is the first known Turla Trojan sample that targets the Linux operating system.
The piece of malware is unique because of its stealth. Undetectable by the netstat command, the Linux Turla activates once the attacker sends a series of “magic numbers” in specially crafted packets.
The Trojan also has been stripped of symbol information, making it difficult to reverse engineer and analyze.
This has Kurt Baumgartner, principal security researcher at Kaspersky Lab, concerned.
“The research is ongoing,” he said. “I would assume at some point this is going to bridge into another finding because of the way this backdoor is used.”
The fact that the Turla malware has expanded onto the Linux operating system means that it will become more difficult to track and dangerous to deal with going forward.
The Trojan was first detected back in August of this year. In what came to be known as Operation ‘Epic Turla,’ attackers backed by a nation-state (likely Russia) used the Turla malware to spy on government institutions, embassies, military installations and other organizations in more than 45 countries.
The attack used two different methods to infect Windows-based systems with the Trojan. The first involved spearphishing techniques using CVE-2012-1723 and CVE-2012-1723, privilege-escalation and arbitration code-execution vulnerabilities in Windows XP, Windows 2003 and Adobe Reader.
The other method relied on watering hole attacks using Java exploits (CVE-2012-1723), Flash exploits and Internet Explorer exploits.
It is possible that attackers may have also used the ‘Penguin’ Turla in their activities.
Kaspersky Lab notes that both the Windows- and Linux-based versions of Turla are built on the capabilities of Agent.Biz, a worm that ripped through U.S. military computers in 2008 and helped spark the creation of the U.S. Cyber Command.
Administrators who want to check for ‘Penguin’ Turla infections should check the outgoing traffic from news-bbc.podzone[.]org or 126.96.36.199, the known C2 servers for the Trojan. They can also build a signature using a tool called YARA.