Turla's New DeliveryCheck Backdoor Breaches Ukrainian Defense Sector

Cyber Security Threat Summary:
A new .NET-based backdoor dubbed DeliveryCheck (aka CAPIBAR or GAMEDAY) was observed targeting the defense sector in Ukraine and Eastern Europe, capable of delivering next-stage payloads. According to an advisory released in coordination with Microsoft, the government computer emergency response team of Ukraine (CERT-UA) has attributed the new backdoor to Turla (aka Iron Hunter, Secret Blizzard (formerly Krypton), Uroburos, Venomous Bear, and Waterbug) a Russian stated-backed actor that is linked to Russia’s Federal Security Service (FSB).

In the latest attacks observed DeliveryCheck is being distributed via phishing emails with macro-laced documents. Upon successful infection, PowerShell is initiated and a scheduled task is downloaded and launched into memory for persistence. From here DeliveryCheck will contact a C2 server to retrieve tasks, including those which initiate the launch of arbitrary payloads embedded in XSLT stylesheets.

“In addition to the use of XSLT (Extensible Stylesheet Language Transformations) and COM-hijacking, the specificity of CAPIBAR is the presence of a server part, which is usually installed on compromised MS Exchange servers in the form of a MOF (Managed Object Format) file using the Desired State Configuration (DCS) PowerShell tool, effectively turning a legitimate server into a malware control center,” stated the agency in its advisory.

Security Officer Comments:
The motive behind this campaign seems to be cyberespionage, with the threat actors exfiltrating messages from applications like Signal, enabling the attackers to gain access to sensitive data including conversations, documents, and images on targeted systems. According to CERT-UA, in some cases, initial access to compromised systems is followed with the deployment of Kazuar, a known Turla implant. For its part, Kazuar comes with 40 different functions, enabling it to steal authentication data such as passwords, bookmarks, autofill, history, proxies, and cookies from various web browsers as well as database and configuration files from programs like KeePass, Azure, Gcloud, AWS, bluemix, among many others.

Suggested Correction(s):
With phishing emails being the initial infection vectors users should adhere to the following recommendations:

  • Do not open emails or download software from untrusted sources
  • Do not click on links or attachments in emails that come from unknown senders
  • Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
  • Always verify the email sender's email address, name, and domain
  • Backup important files frequently and store them separately from the main system
  • Protect devices using antivirus, anti-spam and anti-spyware software
  • Report phishing emails to the appropriate security or I.T. staff immediately
IOCs:
IOCs:
https://cert.gov.ua/article/5213167

Link(s):
https://thehackernews.com/2023/07/turlas-new-deliverycheck-backdoor.html