Turla APT, also known as, Waterbug, Venomous Bear and by many other names, was found using a new dropper in a recent campaign this year. The discovery was made by security researchers from Kaspersky.

Russian-speaking Turla (a.k.a. Snake, Venomous Bear, Waterbug and Uroboros) is known for spy campaigns targeting Western governments as well as embassies and consulates in post-Soviet states. It’s been active since at least 2014 (and possibly earlier) developing a range of custom backdoors to carry out its work. It continually evolves both in terms of malware and targets.

The Turla APT has revamped its arsenal in 2019, creating new weapons and tools for targeting government entities. It’s now using booby-trapped anti-internet censorship software as an initial infection vector, suggesting Turla is going after dissident or other civil-society targets.

The Topinambour dropper contains what Kaspersky calls a “tiny .NET shell” that will wait for Windows shell commands from the command-and-control server (C2) and silently execute them. The C2 infrastructure is hosted on compromised WordPress sites and cloud services.

“Using this and SMB shares on rented virtual private servers (VPS) [in South Africa], the campaign operators spread the next-stage modules using just ‘net use’ and ‘copy’ Windows shell commands,” the researchers noted.

One of these next-stage modules is an already-known Turla tool, the KopiLuwak JavaScript trojan, but more interestingly, Turla has crafted heavily obfuscated PowerShell and .NET trojans that are similar to KopiLuwak, the analysis found. Both (dubbed MiamiBeach and RocketMan!, respectively) were used in an active campaign that started at the beginning of 2019.

The researchers hypothesize that one of the reasons for creating similar trojans in different languages could be to avoid detection. “If one version is detected on the victim’s computer, the operators can try an analog in a different language,” they explained. “The reason behind the development of KopiLuwak’s PowerShell and .NET analogs may be simply to minimize detection of the well-known, publicly discussed JavaScript versions.”

The trojans upload, download and execute files, and fingerprint target systems. The PowerShell version of the trojan also can capture screenshots. They communicate with the C2 from an opened SMB share on a remote CELL-C VPS in South Africa.

And, they also retrieve a final-stage, more complex trojan, able to parse and execute custom commands from the C2, the researchers added. During the final stage of infection, this encrypted trojan for remote administration is embedded into the computer’s registry for the malware to access when complete.

“The purpose of all this infrastructure and modules in JavaScript, .NET and PowerShell is to build a fileless module chain on the victim’s computer consisting of an initial small runner and several Windows system registry values containing the encrypted remote administration tool,” the researchers wrote. “Using the Windows system registry to store encrypted data that is later used by the malware also seems to be aimed at minimizing detection and reducing the digital footprint on any victim’s computer, where only a tiny starter would be left.”