Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
  • County:
  • Country:
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

Turla Crutch: Keeping the “back door” open

January 27, 2021

ESET researchers uncover a brand new backdoor utilized by Turla to exfiltrate stolen paperwork to Dropbox

ESET researchers discovered a beforehand undocumented backdoor and doc stealer. Dubbed Crutch by its builders, we have been in a position to attribute it to the notorious Turla APT group. In accordance with our analysis, it was used from 2015 to, no less than, early 2020. We’ve got seen Crutch on the community of a Ministry of International Affairs in a rustic of the European Union, suggesting that this malware household is just used towards very particular targets as is widespread for a lot of Turla instruments..

Turla is a cyberespionage group energetic for greater than ten years. It has compromised many governments, particularly diplomatic entities, all world wide, working a big malware arsenal that we have described in the last years.

Attribution to Turla

Throughout our analysis, we have been in a position to establish robust hyperlinks between a Crutch dropper from 2016 and Gazer. The latter, often known as WhiteBear, was a second-stage backdoor utilized by Turla in 2016-2017. Our evaluation relies on the Crutch dropper with SHA-1 A010D5449D29A1916827FDB443E3C84C405CB2A5 and the Gazer dropper with SHA-1 1AE4775EFF21FB59708E8C2B55967CD24840C8D9. We recognized the next similarities:

  • Each samples have been dropped at C:Intel~intel_upd.exe on the identical machine with a five-day interval in September 2017
  • Each samples drop CAB information containing the varied malware parts
  • The loaders, dropped by the aforementioned samples, share clearly associated PDB paths:
    C:UsersuserDocumentsVisual Studio 2012ProjectsMemoryStarterReleaseExtractor.pdb and
    C:UsersuserDocumentsVisual Studio 2012ProjectsMemoryStarterx64ReleaseExtractor.pdb
  • The loaders decrypt their payloads utilizing the identical RC4 key:
    E8 8E 77 7E C7 80 8E E7 CE CE CE C6 C6 CE C6 68

Given these components and that Turla malware households aren’t recognized to be shared amongst completely different teams, we imagine that Crutch is a malware household that’s a part of the Turla arsenal.

One other attention-grabbing remark is the presence of FatDuke and Crutch on the identical time on one machine. The previous is a third-stage backdoor that we attributed to the Dukes/APT29 in our Operation Ghost report. Nonetheless, we don’t have any proof of interplay between these two malware households. It’s attainable that each teams independently compromised the identical machine.

Espionage exercise

In accordance with ESET LiveGrid® knowledge, Turla used the Crutch toolset towards a number of machines of the Ministry of International Affairs in a rustic of the European Union. These instruments have been designed to exfiltrate delicate paperwork and different information to Dropbox accounts Turla operators managed.

We have been in a position to seize among the instructions despatched by the operators to a number of Crutch v3 situations, which is useful to grasp the aim of the operation. The operators have been primarily doing reconnaissance, lateral motion and espionage.

The primary malicious exercise is the staging, compression and exfiltration of paperwork and numerous information, as proven in Determine 1. These are instructions manually executed by the operators, thus not exhibiting the automated assortment of paperwork by the drive monitor element described in a later part. The exfiltration is carried out by one other backdoor command and thus not proven within the examples beneath.

Determine 1. Handbook instructions executed by the operators throughout the espionage part

Lastly, the operators have a sure humorousness. Sooner or later, they executed the next command:

Operators’ working hours

To be able to have a tough thought of the working hours of the operators, we exported the hours at which they uploaded ZIP information to the Dropbox accounts they function. These ZIP information include instructions for the backdoor and are uploaded to Dropbox by the operators, asynchronously from the time at which the backdoor reads and executes their content material. Thus, this could present when the operators are working and never when the sufferer’s machines are energetic.

We collected 506 completely different timestamps and so they vary from October 2018 to July 2019. They’re plotted in Determine 2.

Determine 2. Working hours of Crutch operators primarily based on the uploads to Dropbox

Given the graph, the operators are prone to function within the UTC+3 time zone.

Compromise / Malware supply

We imagine that Crutch isn’t a first-stage backdoor and is deployed after the operators have already compromised a company’s community.

The primary technique consists in utilizing a first-stage implant comparable to Skipper. In 2017, we noticed Crutch being deployed just a few months after the pc was compromised by Skipper. Then, the malware operators additionally compromised different machines on the native community by transferring laterally.

The second technique we’ve witnessed is using PowerShell Empire. We weren’t in a position to uncover how the malicious script arrived on the machine, however we imagine it was via one other implant though a phishing doc can’t be excluded. It must be famous that the PowerShell Empire scripts have been utilizing OneDrive and Dropbox.

Crutch model 1 to three

From 2015 to mid-2019, the malware structure used a backdoor speaking with Dropbox and a drive monitor with out community capabilities.

Determine 3 outlines the structure of Crutch model 3. It features a backdoor that communicates with a hardcoded Dropbox account utilizing the official HTTP API. It may possibly execute primary instructions comparable to studying and writing information or executing extra processes. It persists through DLL hijacking on Chrome, Firefox or OneDrive. In some variants, we seen the presence of restoration C&C channels utilizing both GitHub or an everyday area.

The second major binary is a removable-drive monitor that searches for information which have an attention-grabbing extension (.pdf, .rtf, .doc, .docx). It then stages the information in an encrypted archive.

Determine 3. Structure of Crutch v3

Crutch model 4

In July 2019, we discovered a brand new model of Crutch. Whereas we don’t have the developer’s model quantity, we imagine it has developed sufficient to qualify as model 4. This new model is an up to date model of the removable-drive monitor with networking capabilities.

Determine 4 exhibits the structure of Crutch v4. The primary distinction is that it now not helps backdoor instructions. However, it may mechanically add the information discovered on native and detachable drives to Dropbox storage by utilizing the Home windows model of the Wget utility.

Determine 4. Structure of Crutch v4

The working listing of this v4 is C:Intel the place the next parts are discovered:

  • outllib.dll: The Crutch DLL
  • finder.exe: The real Outlook Merchandise Finder from Microsoft Outlook (SHA-1: 830EE9E6A1BB7588AA8526D94D2D9A2B491A49FA)
  • assets.dll: Real DLL that could be a dependency of finder.exe (SHA-1: 31D82C554ABAB3DD8917D058C2A46509272668C3)
  • outlook.dat: Crutch config file. It comprises the Dropbox API token.
  • ihlp.exe: The real RAR utility (SHA-1: A92C801F491485F6E27B7EF6E52E02B461DBCFAA)
  • msget.exe: A clear model of the Wget utility for Home windows (SHA-1: 457B1CD985ED07BAFFD8C66FF40E9C1B6DA93753)

As does Crutch v3, it persists utilizing DLL hijacking. Nonetheless, on this case the host software is an previous Microsoft Outlook element that’s dropped on the compromised system by the operators.


Up to now few years, we’ve publicly documented a number of malware households operated by Turla. Crutch exhibits that the group isn’t wanting new or at the moment undocumented backdoors. This discovery additional strengthens the notion that the Turla group has appreciable assets to function such a big and various arsenal.

Crutch is ready to bypass some safety layers by abusing professional infrastructure – right here Dropbox – with a purpose to mix into regular community site visitors whereas exfiltrating stolen paperwork and receiving instructions from its operators.

Indicators of Compromise may also be discovered on GitHub. For any inquiries, or to make pattern submissions associated to the topic, contact us at: [email protected].

Indicators of Compromise


SHA-1 Description ESET detection identify
A010D5449D29A1916827FDB443E3C84C405CB2A5 Crutch dropper just like Gazer Win64/Agent.VX
2FABCF0FCE7F733F45E73B432F413E564B92D651 Crutch v3 backdoor (packed) Win32/Agent.TQL
A4AFF23B9A58B598524A71F09AA67994083A9C83 Crutch v3 backdoor (unpacked) Win32/Agent.TQL
778AA3A58F5C76E537B5FE287912CC53469A6078 Crutch v4 Win32/Agent.SVE


Crutch working directories


  • C:Inteloutllib.dll
  • C:Intellang.nls
  • C:Intel~intel_upd.exe
  • C:Intel~csrss.exe
  • C:Program Recordsdata (x86)GoogleChromeApplicationdwmapi.dll
  • C:Program Recordsdata (x86)Mozilla Firefoxrasadhlp.dll
  • %LOCALAPPDATApercentMicrosoftOneDrivedwmapi.dll


  • hotspot.accesscam[.]org
  • highcolumn.webredirect[.]org
  • ethdns.mywire[.]org
  • theguardian.webredirect[.]org
  • https://uncooked.githubusercontent[.]com/ksRD18pro/ksRD18/grasp/ntk.tmp

MITRE ATT&CK methods

Be aware: This desk was constructed utilizing version 7 of the MITRE ATT&CK framework.

Tactic ID Identify Description
Preliminary Entry T1078.003 Legitimate Accounts: Native Accounts Crutch operators abused native accounts which have the identical password throughout the sufferer’s community. This was used when compromising extra machines within the community, the preliminary breach is unknown.
Persistence T1053.005 Scheduled Activity/Job: Scheduled Activity Crutch v4 persists utilizing a Home windows scheduled activity.
T1574.001 Hijack Execution Circulation: DLL Search Order Hijacking Crutch v3 persists by doing DLL search order hijacking on Google Chrome, Mozilla Firefox or Microsoft OneDrive.
Protection Evasion T1036.004 Masquerading: Masquerade Activity or Service Crutch v4 persists utilizing a scheduled activity that impersonates the Outlook merchandise finder.
T1120 Peripheral Gadget Discovery Crutch displays when a detachable drive is plugged into the compromised machine.
T1025 Information from Detachable Media Crutch displays detachable drives and exfiltrates information matching a given extension listing.
T1074.001 Information Staged: Native Information Staging The Crutch v3 removable-drive monitor phases the stolen information within the C:AMDTemp listing.
T1119 Automated Assortment Crutch mechanically displays detachable drives in a loop and copies attention-grabbing information.
T1560.001 Archive Collected Information: Archive through Utility Crutch makes use of the WinRAR utility to compress and encrypt stolen information.
T1008 Fallback Channels Crutch v3 makes use of a hardcoded GitHub repository as a fallback channel.
T1071.001 Utility Layer Protocol: Net Protocols The community protocol of Crutch makes use of the official Dropbox API over HTTP.
T1102.002 Net Service: Bidirectional Communication Crutch makes use of Dropbox to obtain instructions and to add stolen knowledge.
Exfiltration T1020 Automated Exfiltration Crutch v4 mechanically exfiltrates the stolen information to Dropbox.
T1041 Exfiltration Over C2 Channel Crutch exfiltrates knowledge utilizing the first C&C channel (Dropbox HTTP API).
T1567.002 Exfiltration Over Net Service: Exfiltration to Cloud Storage Crutch exfiltrates stolen knowledge to Dropbox.

Posted in SecurityTags:
Write a comment