A new threat actor, White Tur, has been observed using multiple techniques borrowed from various APT actors. The threat group is believed to be active since at least 2017.
The borrowed techniques
An attack was discovered in January, in which the threat actor registered a subdomain (mail[.]mod[.]qov[.]rs) to phish login credentials of employees of the Serbian Ministry of Defence.
- The phishing domain used a TLS certificate with the term ‘qov’, spoofing the word ‘gov’. This .gov spoofing technique was previously used by an APT group known as Sofacy (aka APT28) from Russia.
- The adversary abuses the OpenHardwareMonitor, an open-source project, for payload execution. They inject the code using a technique that was used by a North-Korean threat group, ZINC.
Additional behavior insights
As part of White Tur’s attack, a PowerShell code obtains environmental details from the victim using PowerShell WMI objects and uses BitsTransfer Module in PowerShell for downloading a payload.
- The group uses macro-enabled documents laden with different exploits and governmental, R&D, telecoms, defense themes, macros exploiting the CVE-2017-0199, Jscript backdoor’ HTA, XSL, and PowerShell scripts.
- Actors employ a functional backdoor packaged as a DLL to manage files, run commands, set sleep time of malware, and upload/download files
- In the backdoor’s PDB path, the researchers have discovered the name of Storm Kitty, an open-source malware project developed to collect the credentials along with logging keystrokes.
Concluding notes
White Tur’s target selection includes low-profile regions such as Serbia, which are not considered active in threat intelligence coverage. It implicates that a new and budding threat group could have a wide range of motivations.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/5eda_shutterstock_1451291537.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_25243135_MEDIUM.jpg)
