Turla threat group targets Armenian government websites in a new cyber campaign

The watering-hole attacks might be on-going for the past several months, the researchers warn

A new campaign by the Russia-linked Turla group has been using watering-hole attacks to target government and civilian websites in Armenia.

That's according to the researchers at cyber security firm ESET, who noticed the campaign only recently, although they believe it might have been on-going for several months.

The data from ESET telemetry revealed four websites that have already been targeted by Turla operators. These websites are:

• mnp.nkr[.]am: Ministry of Nature Protection and Natural Resources of the Republic of Artsakh;
• armconsul[.]ru: The consular Section of the Embassy of Armenia in Russia;
• adgf[.]am: The Armenian Deposit Guarantee Fund;
• aiisa[.]am: The Armenian Institute of International and Security Affairs

According to the researchers, the campaign targetting these websites have been active since early 2019. Analysis of the malware samples collected from compromised Armenian government websites suggested that the Russian threat group Turla is most likely behind the watering-hole operation.

In watering-hole attacks, malware is implanted on the systems of specific, high-value individuals. For example, government officials.

In the current watering-hole operation, the researchers noticed two previously unseen malware elements, which they dubbed NetFlash and PyFlash, being delivered on targeted machines by Turla operators.

When the group identifies a high-value target, its command-and-control server sends a piece of JavaScript code to create an IFrame.

This IFrame displays a bogus Adobe Flash update warning on the target machine in a bid to trick the user into downloading a malicious Flash installer.

"The compromise attempt relies solely on this social engineering trick," said ESET researcher Matthieu Faou.

Once the malicious executable file is downloaded on the system and manually launched by the user, a Turla malware variant and the legitimate Adobe Flash programme are installed.

According to researchers, at the end of August 2019, Turla operators changed their payload most likely to evade detection. They are now using NetFlash payload, which installs PyFlash, a backdoor written in the Python language.

The Turla group, which is also known as Venomous Bear, Snake, Group 88, Uroburos, KRYPTON, and Iron Hunter, has been active for more than 10 years. The group is believed to have links to the Russian military and is known for carrying out targeted malware attacks against foreign government entities, embassies and militaries.

In 2018, it is believed to have been behind an attack on Germany's government computer network.

Earlier in 2014, researchers at security firms Kaspersky and Symantec claimed that more than 40 governments had been attacked in a cyber-campaign that linked to the Turla group.

Last year, Kaspersky researchers warned that Turla was developing new forms of malware to avoid detection.