Two days ago, I have started to analyse an unusual Turla dropper which adds an extra layer to the already known dropper and which pretends to be compiled in 2013 according to its time stamp. However, some of its final payloads have a newer compilation time stamp from 2014, leading to the assumption that this new dropper's time stamp is faked. Another indication that this new dropper is not from 2013 is the fact that it was first submitted to Virustotal in March 2016.
This new dropper is disguised as a legit JPEGView
version, since it mixes some of the code with its own. Also, the file description corresponds to an old version of this image viewer. Its payload - an old Turla dropper from 2014 - is split up in 3 PNG files inside the resource section. So, it uses the same method for hiding its payload inside PNG files as the recently discovered
ZeroAccess 3 dropper, although the implementation is a bit different. One can think that this new dropper seems to be inspired by ZeroAccess 3, but I don't think this is from the people behind Turla. Why should somebody disguise on old dropper inside an image viewer?
Recently, someone added an old Turla dropper
which was crypted with VMProtect and an old Wipbot sample
which was crypted with Enigma Protector. The latter when decrypted
contains a resource named "TURLA" which would be quite unusual if it should be from the people behind Turla. It looks more like someone is experimenting with some old Turla samples to make them undetected to some security software.
At the end of 2014, CrySys Lab released two blog posts
in which they write about testing the detection of APT tools by available security solutions. They also released a test tool named BAB0
https://virustotal.com/en/file/2dc0f9e0 ... /analysis/
https://virustotal.com/en/file/9184be43 ... /analysis/
https://virustotal.com/en/file/af0e455f ... /analysis/
https://virustotal.com/en/file/d581b95b ... /analysis/
The decrypted old Turla dropper has a compilation time stamp from August 2014, so shortly before the latest known dropper
(I have mistyped the year, it should be 2014). What is unusual about this version is that it has both versions (x86/x64) of the vulnerable VirtualBox driver on board and loads the appropriate file according to the used Windows platform. A possible explanation why they have done this could be that since Windows 8 also the 32-bit version requires kernelmode drivers to be signed
if Secure Boot is enabled.
New Turla dropper: https://virustotal.com/en/file/b5228539 ... /analysis/
New Turla dropper decrypted (old dropper): https://virustotal.com/en/file/f697aa0b ... 459692191/
Payloads of old dropper attached.
That's all so far