Advanced Turla Internet-Spying Operation Yet Active, Says Kaspersky

According to Kaspersky, Turla, which has other names such as Uroburos and Snake, happens to be the greatest of all refined cyber-espionage operations that are still up.

At the time Turla's foremost study was published, there was no answer as to how the spyware contaminated its victims.

Kaspersky Lab's most recent study of the Turla operation discloses first stage of the contamination process as Epic.

It's since no later than 2012 that attackers have been deploying the Epic phase, with the most number of attempts seen during 2014 January-February. The last time Kaspersky spotted this assault was on 5th August 2014 that targeted a user of the company. However, the assaults have not stopped as they continue to target Web-surfers chiefly within Middle East and Europe.

Among other countries the majority of victims are located within is USA. Many hundreds of victimized IPs has been counted spread within over 45 countries, France ranking No.1 among them.

Entities that Epic targets are government departments (External Affairs/Foreign ministry, Trade and Commerce ministry, Interior ministry and Intelligence agencies) along with military, embassies, pharmaceutical firms, and educational and research institutions.

Kaspersky Lab's researchers lately declared that they found a combination of off-the-shelf as well as zero-day attack codes getting used in Epic that targeted earlier unfamiliar vulnerabilities but which had been patched, for hijacking victims. The Epic stage of a multi-layered assault struck victims through socially-engineered frauds, spear-phishing schemes alternatively watering hole assaults vis-à-vis online sites the victims attempted to visit.

An identical script along with same encryption is shared among Turla and Epic that may bewilder researchers, indicating the two campaigns are necessarily linked. It maybe that there's some cooperation between the attackers else they're the same gang, say the researchers. Threatpost.com published this, August 7, 2014.

Apparently, the attackers aren't native English speaking individuals, while backdoors suggest that Turla's creators may've a Russian connection. An Epic backdoor has "Zagruzchik.dll" as its name meaning "load program" else "bootloader" when translated into Russian language.

Security Firm Kaspersky further thinks there could exist probable linkages with various Internet-spying operations, more particularly, Miniduke that utilized identical Web-shells for dealing with contaminated online-servers.

» SPAMfighter News - 8/18/2014