Tracking Turla: ESET researchers discover attack on governmental websites in Armenia

BRATISLAVA, MONTREAL – ESET researchers have found a watering hole operation targeting several high-profile Armenian websites. It relies on a social engineering trick — a fake Adobe Flash update — as a lure to deliver two previously undocumented pieces of malware. In this specific operation, Turla has compromised at least four Armenian websites, including two belonging to the government. Thus, it is likely the targets include government officials and politicians.

Turla is an infamous cyberespionage group active for more than 10 years. Its main targets are government and military organizations. This recent operation bears similarities to the modus operandi of several of Turla’s watering hole campaigns in the past.

ESET Research has indications that these websites had been compromised since at least the beginning of 2019. We notified the Armenian national CERT and shared our analysis with them before publication.

“If the visitor is deemed interesting, the C&C server replies with a piece of JavaScript code that creates an IFrame. Data from ESET telemetry suggests that, for this campaign, only a very limited number of visitors were considered interesting by Turla’s operators,” comments ESET researcher Matthieu Faou on the victims of the attack.

“A fake Adobe Flash update pop-up window warning to the user is displayed in order to trick them into downloading a malicious Flash installer. The compromise attempt relies solely on this social engineering trick,” he adds.

Interestingly, in this latest campaign Turla utilizes a completely new backdoor dubbed PyFlash. ESET believes this is the first time the Turla developers have used the Python language in a backdoor. The command and control server sends backdoor commands that include downloading files, executing Windows commands, and launching or uninstalling malware. “The final payload has changed, probably in order to evade detection,” explains Faou.

For more details about the latest Turla campaign, read the blogpost Tracking Turla: New backdoor delivered via Armenian watering holes on WeLiveSecurity. Make sure to follow ESET research on Twitter for the latest news from ESET Research.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.