Analysis of Turla’s Neuron And Nautilus Tools

Neuron and Nautilus are malicious tools designed to operate on Microsoft Windows
platforms, primarily targeting mail servers and web servers. The NCSC has observed
these tools being used by the Turla group to maintain persistent network access and
to conduct network operations.

The Turla group use a range of tools and techniques, many of which are custom. Using
their advanced toolkit, the Turla group compromise networks for the purposes of
intelligence collection. The Turla group is known to target government, military,
technology, energy and commercial organisations.

The Turla group has operated on targets using a rootkit known as Snake for many
years. Like Neuron and Nautilus, Snake provides a platform to steal sensitive data,
acts as a gateway for internal network operations and is used to conduct onward
attacks against other organisations.

The Turla group are experienced in maintaining covert access through incident
response activities. They infect multiple systems within target networks and deploy a
diverse range of tools to ensure that they retain a foothold back onto a victim even
after the initial infection vector has been mitigated.

The NCSC has observed both Neuron and Nautilus being used in conjunction with the
Snake rootkit. In a number of instances, one or both of these tools has been deployed
following the successful installation of Snake. The NCSC believes that Neuron and
Nautilus are another component of the wider Turla campaign and are not acting as
replacements for the Snake rootkit. It is likely that these tools have seen wider
deployment since the Snake rootkit has been reported on by the information security
industry, providing the group with additional methods of access.

Nauron Details

The Neuron service is typically installed on compromised infrastructure such as mail
and web servers, and listens for HTTP requests from infected clients. In this way,
Neuron service acts as a Command & Control (C2) server inside the victim network
for infected Neuron clients.

The Neuron client is used to infect victim endpoints and extract sensitive information
from local client machines. The Neuron server is used to infect network infrastructure
such as mail and web servers, and acts as local Command & Control (C2) for the client
component. Establishing a local C2 limits interaction with the target network and
remote hosts. It also reduces the log footprint of actor infrastructure and enables client
interaction to appear more convincing as the traffic is contained within the target
network.

Nautilus Details

Nautilus is very similar to Neuron both in the targeting of mail servers and how client
communications are performed. This malware is referred to as Nautilus due to its
embedded internal DLL name “nautilus-service.dll”, again sharing some resemblance
to Neuron.

The main payload and configuration of Nautilus is encrypted within a covert store on
disk which is located in “\ProgramData\Microsoft\Windows\Caches\”. The loader DLL
will access this covert store to decrypt the payload (oxygen.dll), which is then loaded
into a target process via reflective loading.

The Nautilus service listens for HTTP requests from clients to process tasking
requests such as executing commands, deleting files and writing files to disk.

Nautilus achieves persistence by running as a service, dcomnetsrv, which is set to
automatically start. It is very likely that this is established by the Nautilus dropper,
similar to the Neuron service dropper.

Further Information

Download the full NCSC report here – https://www.ncsc.gov.uk/alerts/turla-group-malware