Trula, a sophisticated hacking group also known as Krypton, VenomousBear, Waterbug, Uroburos, or Snakegroup targets government entities, military, energy, and nuclear research organizations.
The group knows for conducting various spear-phishing techniques and watering-hole attacks to infect targeted victims. The group knows to be active since at least 2014.
Accenture threat researchers identified the group typical targeting European government organizations using their custom tools, albeit with some updates.
Trula Group Attack
In the attack against European government organization, Trula used a combination of remote procedure call (RPC)-based backdoors, such as HyperStack, and remote administration trojans (RATs), such as Kazuar and Carbon.
The RPC backdoors are developed by Trula based on the relying RPC protocol, by using these backdoors they can perform lateral movement and take control of other machines in the local network without relying on the C&C server.
Accenture Cyber Threat Intelligence researchers identified that one of the RPC backdoors used HyperStack functionality.
“HyperStack uses named pipes to execute remote procedure calls (RPC) from the controller to the device hosting the HyperStack client. To move laterally, the implant tries to connect to another remote device’s IPC$ share, either using a null session or default credentials.”
Also, another version of HyperStack observed in this campaign that allows Trula operators to run a command via a named pipe from the controller without implementing IPC$ enumeration activity.
For C&C communication as like other cyber-espionage groups, Trula uses legitimate web services. In the case of the Carbon modular backdoor framework Pastebin used for C&C.
Kazuar uses to connect with the target C2 network that resides outside of the victim network, the C2 network is probably a compromised legitimate website.
Earlier in May Turla Group Updated ComRAT Malware to Use Gmail web Interface for Command and Control.