Novel .NET Backdoor DeliveryCheck Sends a Variety of Secondary Payloads
The Russian Turla hacker group has targeted the Ukrainian defense sector and other Eastern European entities with a novel backdoor, dubbed DeliveryCheck, to deploy secondary payloads likely used for espionage, according to Microsoft.
Security researchers at Microsoft’s Threat Intelligence said DeliveryCheck is .NET-based malware distributed through email that contains documents containing malicious macros. The Computer Emergency Response Team of Ukraine confirmed Microsoft’s findings, saying it has monitored activity that includes targeted cyberattacks against defense forces using a malware called Capibar – the same malware that Microsoft calls DeliveryCheck and Mandiant has dubbed Gameday.
The purpose of this malware deployment is primarily espionage, CERT-UA said.
“It persists via a scheduled task that downloads and launches it in memory,” Microsoft said. “It also contacts a C2 server to retrieve tasks, which can include the launch of arbitrary payloads embedded in XSLT stylesheets.”
Microsoft has observed that following initial infection, the threat actor deploys open-source tools such as
rclone to collect and exfiltrate files – or in some cases – deploys a fully featured Secret Blizzard implant known as Kazuar.
The Kazuar backdoor can execute nearly 40 functions, CERT-UA said, including:
- Event logging and retrieval of OS log data;
- Collection of forensic artifacts such as
- Stealing authentication data including credentials, bookmarks, autofill, history, proxies, cookies, FileZilla, Chromium, Mozilla, Outlook, OpenVPN, system, WinSCP, Signal and Git;
- Stealing databases and configuration files of applications such as KeePass, Azure, Google Cloud, AWS and Bluemix.
Microsoft said the Turla hacker group, known to be closely associated with the Russian foreign intelligence service FSB, is aiming to exfiltrate files containing messages from the popular Signal Desktop messaging application. This “would allow the actor to read private Signal conversations, as well as documents, images and archive files on targeted systems,” Microsoft said.
Microsoft also said the threat group targeted Microsoft Exchange servers to install server-side components of DeliveryCheck using PowerShell Desired State Configuration. “DSC generates a Managed Object Format file containing a PowerShell script that loads the embedded [.]NET payload into memory, effectively turning a legitimate server into a malware C2 [command and control] center,” Microsoft said.
CERT-UA said the hack had several signatures of Turla. “Taking into account the peculiarities of tactics, techniques and procedures, as well as the fact of the use of the Kazuar malware, with a sufficient level of confidence the described activity is associated with the Turla group [also known as UAC-0003, KRYPTON, Secret Blizzard], whose activities are directed by Russia’s FSB,” CERT-UA said.
Malware samples have been distributed among security companies for the ease of detection, CERT-UA and Microsoft said.
The two did not immediately respond to Information Security Media Group’s request for additional details.
Turla is known to deploy a revamped set of customized tools to target potential victims for its espionage campaigns. In 2020, U.S Cyber Command and the Cybersecurity and Infrastructure Security Agency issued warnings about the Russian hacking group using updated ComRAT malware to target government agencies around the world (see: Updated Malware Tied to Russian Hackers).