Tuesday, October 15, 2024
HomeMalwareTrula Hacker Group Uses Custom Malware & Legacy Tools to Attack Government...

Trula Hacker Group Uses Custom Malware & Legacy Tools to Attack Government Organizations

Published on

Malware protection

Trula, a sophisticated hacking group also known as Krypton, VenomousBear, Waterbug, Uroburos, or Snakegroup targets government entities, military, energy, and nuclear research organizations.

The group knows for conducting various spear-phishing techniques and watering-hole attacks to infect targeted victims. The group knows to be active since at least 2014.

Accenture threat researchers identified the group typical targeting European government organizations using their custom tools, albeit with some updates.

- Advertisement - SIEM as a Service

Trula Group Attack

In the attack against European government organization, Trula used a combination of remote procedure call (RPC)-based backdoors, such as HyperStack, and remote administration trojans (RATs), such as Kazuar and Carbon.

The RPC backdoors are developed by Trula based on the relying RPC protocol, by using these backdoors they can perform lateral movement and take control of other machines in the local network without relying on the C&C server.

Accenture Cyber Threat Intelligence researchers identified that one of the RPC backdoors used HyperStack functionality.

“HyperStack uses named pipes to execute remote procedure calls (RPC) from the controller to the device hosting the HyperStack client. To move laterally, the implant tries to connect to another remote device’s IPC$ share, either using a null session or default credentials.”

Also, another version of HyperStack observed in this campaign that allows Trula operators to run a command via a named pipe from the controller without implementing IPC$ enumeration activity.

For C&C communication as like other cyber-espionage groups, Trula uses legitimate web services. In the case of the Carbon modular backdoor framework Pastebin used for C&C.

Kazuar uses to connect with the target C2 network that resides outside of the victim network, the C2 network is probably a compromised legitimate website.

Earlier in May Turla Group Updated ComRAT Malware to Use Gmail web Interface for Command and Control.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

pac4j Java Framework Vulnerable to RCE Attacks

A critical security vulnerability has been discovered in the popular Java framework pac4j. The...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...