Thursday, November 30, 2023

Trula Hacker Group Uses Custom Malware & Legacy Tools to Attack Government Organizations

Trula, a sophisticated hacking group also known as Krypton, VenomousBear, Waterbug, Uroburos, or Snakegroup targets government entities, military, energy, and nuclear research organizations.

The group knows for conducting various spear-phishing techniques and watering-hole attacks to infect targeted victims. The group knows to be active since at least 2014.

Accenture threat researchers identified the group typical targeting European government organizations using their custom tools, albeit with some updates.

Trula Group Attack

In the attack against European government organization, Trula used a combination of remote procedure call (RPC)-based backdoors, such as HyperStack, and remote administration trojans (RATs), such as Kazuar and Carbon.

The RPC backdoors are developed by Trula based on the relying RPC protocol, by using these backdoors they can perform lateral movement and take control of other machines in the local network without relying on the C&C server.

Accenture Cyber Threat Intelligence researchers identified that one of the RPC backdoors used HyperStack functionality.

“HyperStack uses named pipes to execute remote procedure calls (RPC) from the controller to the device hosting the HyperStack client. To move laterally, the implant tries to connect to another remote device’s IPC$ share, either using a null session or default credentials.”

Also, another version of HyperStack observed in this campaign that allows Trula operators to run a command via a named pipe from the controller without implementing IPC$ enumeration activity.

For C&C communication as like other cyber-espionage groups, Trula uses legitimate web services. In the case of the Carbon modular backdoor framework Pastebin used for C&C.

Kazuar uses to connect with the target C2 network that resides outside of the victim network, the C2 network is probably a compromised legitimate website.

Earlier in May Turla Group Updated ComRAT Malware to Use Gmail web Interface for Command and Control.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Chrome Zero-Day Vulnerability That Exploited In The Wild

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this...

Iranian Mobile Banking Malware Steal Login Credentials & Steal OTP Codes

An Android malware campaign was previously discovered that distributed banking trojans targeting four major...

BLUFFS: Six New Attacks that Break Secrecy of Bluetooth Sessions

Six novel Bluetooth attack methods have been discovered, which were named BLUFFS (Bluetooth Forward...

Google Workspace’s Design Flaw Allows Attacker Unauthorized Access

Recent years saw a surge in cloud tech adoption, highlighting the efficiency through tools...

Serial ‘SIM Swapper’ Sentenced to Eight Years in Prison

In a digital age marred by deceit, 25-year-old Amir Hossein Golshan stands as a...

Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable to Takeover – Hunters

BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 - A severe design flaw...

Hackers Behind High-Profile Ransomware Attacks on 71 Countries Arrested

Hackers launched ransomware attacks to extort money from the following two entities by encrypting...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles