Turla Mail Client Backdoor [Turla Outlook Backdoor]

Security researchers have discovered a backdoor tool created by the Turla advanced persistent threat group to target mail clients. The researchers believe that the tool has been in the wild since at least 2013, although it is possible it was created in 2009.  This is also known as Turla Outlook Backdoor.

The backdoor is a self-contained DLL file that is able to install and operate itself on the targeted client. As such, it can be delivered by several Turla tools or by any other malware that is able to execute additional processes.

Once installed, the tool is able to intercept all email traffic, including metadata, from the affected client. It can also to execute commands and programs, exfiltrate data and download additional malware. The tool communicates with its command and control infrastructure using encoded emails, with new files being delivered as PDF attachments. These emails are kept hidden to prevent detection by the user.

As the backdoor works at the same time as the user is using their computer and Outlook, efforts are made to hide the various malicious behaviors that could appear on the screen, such as incoming emails from the attacker.  To hide the email exchanges from the user, the backdoor deletes the messages sent to or received from the attacker. New email notifications may appear for a few seconds, but the message body is not shown to the user, which could pass as a glitch in the client software

Interaction with the mail client varies according to which client is targeted.

For a detailed analysis of the backdoor read Turla Outlook Backdoor: Analysis of an unusual Turla backdoor.






Microsoft Outlook

Microsoft maintains an API, the Messaging Application Programming Interface (MAPI), which allows applications to interface with Outlook. This Turla backdoor leverages this API to access and manage the mailbox(es) of the person(s) using the compromised system.

Indicators of Compromise

SHA1 File Hashes

  • 8A7E2399A61EC025C15D06ECDD9B7B37D6245EC2
  • F992ABE8A67120667A01B88CD5BF11CA39D491A0
  • 851DFFA6CD611DC70C9A0D5B487FF00BC3853F30

Filenames

  • scawrdot.db
  • flobcsnd.dat
  • mapid.tlb

Registry Keys

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\ZonePolicy\
  • HKCU\Software\Classes\CLSID{49CBB1C7-97D1-485A-9EC1-A26065633066}
  • HKCU\Software\Classes\CLSID{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}




Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: