Russian APTs And WhiteBear Related Activity

The Russian APT group Turla has been active against defence, diplomatic and political targets, using a toolset known as WhiteBear.

Turla activity includes the following characteristics:
• Targeting embassies and government ministries.
• Using spear phishing to deliver a first stage backdoor.
• Inserting a second stage backdoor.
• Second stage backdoor will receive encrypted instructions via a command and control (C2) server by means of a compromised website.

WhiteBear is extremely sophisticated and is believed to change strings within its code. It randomises markers and also wipes files securely in order to avoid detection.

The rootkit hides and creates a hidden and encrypted file system to store data and tools, which are then used to access systems, store information and steal passwords. The attackers are using a number of C2 servers worldwide during their campaigns.




What To Block:

Some of the known IP’s and hostnames to block are as follows :-

WhiteBear Command and Control

169.255.137[.]203
217.171.86[.]137
66.178.107[.]140

soligro[.]com – C2 server for the WhiteBear transport library

mydreamhoroscope[.]com

Affected Platforms:

Microsoft Windows – all versions

Resolution:

Don’t open any mail attachments you’re unsure of even if you trust the sender.

Ensure all staff are properly trained on common phishing techniques.

Some settings may be available on certain email services that disable automatic execution of a remote resource.