Turla Crutch backdoor: analysis and recommendations

Crutch is a newly discovered from Turla (APT), a Russian-linked threat actor, used in a recent cyberattack against an country’s Ministry of Foreign Affairs. The attack leveraged Dropbox to exfiltrate sensitive documents. Let’s explore protect end users and assets against of this nature.

What is Turla Crutch backdoor?

Turla APT has been active for over 10 years, compromising several governments and diplomatic entities around the globe. Recently, Enjoy Safer (ESET) researchers found a new backdoor dubbed Crutch used to exfiltrate documents and sensitive information. “According to our , it was used from 2015 to, at least, early 2020. We have seen Crutch on the network of a Ministry of Foreign Affairs in a country of the European Union, suggesting that this malware family is only used against very specific targets as is common for many Turla ,” said ESET.

Given the similarities found between a Crutch dropper and Gazer, also known as WhiteBear, which was disseminated and used by Turla APT, there is a strong probability this backdoor is part of the group arsenal.

By analyzing the two samples, ESET found the following similarities:

Both samples were dropped on

Read More: https://resources.infosecinstitute.com/topic/turla-crutch-backdoor-analysis-and-recommendations/