BRATISLAVA, MONTREAL – ESET researchers have found a watering hole operation targeting several high-profile Armenian websites. It relies on a social engineering trick — a fake Adobe Flash update — as a lure to deliver two previously undocumented pieces of malware. In this specific operation, Turla has compromised at least four Armenian websites, including two belonging to the government. Thus, it is likely the targets include government officials and politicians.
Turla is an infamous cyberespionage group active for more than 10 years. Its main targets are government and military organizations. This recent operation bears similarities to the modus operandi of several of Turla’s watering hole campaigns in the past.
ESET Research has indications that these websites had been compromised since at least the beginning of 2019. We notified the Armenian national CERT and shared our analysis with them before publication.
“If the visitor is deemed interesting, the C&C server replies with a piece of JavaScript code that creates an IFrame. Data from ESET telemetry suggests that, for this campaign, only a very limited number of visitors were considered interesting by Turla’s operators,” comments ESET researcher Matthieu Faou on the victims of the attack.
“A fake Adobe Flash update pop-up window warning to the user is displayed in order to trick them into downloading a malicious Flash installer. The compromise attempt relies solely on this social engineering trick,” he adds.
Interestingly, in this latest campaign Turla utilizes a completely new backdoor dubbed PyFlash. ESET believes this is the first time the Turla developers have used the Python language in a backdoor. The command and control server sends backdoor commands that include downloading files, executing Windows commands, and launching or uninstalling malware. “The final payload has changed, probably in order to evade detection,” explains Faou.
For more details about the latest Turla campaign, read the blogpost Tracking Turla: New backdoor delivered via Armenian watering holes on WeLiveSecurity. Make sure to follow ESET research on Twitter for the latest news from ESET Research.