Turla Crutch backdoor: analysis and recommendations

Crutch is a newly discovered backdoor from Turla advanced persistent threat (APT), a Russian-linked threat actor, used in a recent cyberattack against an country’s Ministry of Foreign Affairs. The attack leveraged Dropbox to exfiltrate sensitive documents. Let’s explore how to protect end users and network assets against threats of this nature.

What is Turla Crutch backdoor?

Turla APT has been active for over 10 years, compromising several governments and diplomatic entities around the globe. Recently, Enjoy Safer Technology (ESET) researchers found a new backdoor dubbed Crutch used to exfiltrate documents and sensitive information. “According to our research, it was used from 2015 to, at least, early 2020. We have seen Crutch on the network of a Ministry of Foreign Affairs in a country of the European Union, suggesting that this malware family is only used against very specific targets as is common for many Turla tools,” said ESET.

Given the similarities found between a Crutch dropper and Gazer, also known as WhiteBear, which was disseminated and used by Turla APT, there is a strong probability this backdoor is part of the group arsenal.

By analyzing the two samples, ESET found the following similarities:

Both samples were dropped on

Read More: https://resources.infosecinstitute.com/topic/turla-crutch-backdoor-analysis-and-recommendations/