Trula Hacker Group Uses Custom Malware & Legacy Tools to Attack Government Organizations

Trula, an advanced hacking group also called Krypton, VenomousBear, Waterbug, Uroburos, or Snakegroup targets government entities, military, energy, and nuclear research study organizations.

The group understands for conducting numerous watering-hole attacks and spear-phishing strategies to contaminate targeted victims. The group knows to be active because a minimum of 2014.

Accenture threat researchers identified the group typical targeting European federal government companies utilizing their custom-made tools, albeit with some updates.

Trula Group Attack

You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity and hacking news updates.

Previously in May Turla Group Updated ComRAT Malware to Use Gmail web Interface for Command and Control.

Accenture Cyber Threat Intelligence researchers determined that one of the RPC backdoors used HyperStack performance.

The RPC backdoors are established by Trula based upon the relying RPC protocol, by using these backdoors they can carry out lateral movement and take control of other machines in the local network without relying on the C&C server.

Kazuar uses to get in touch with the target C2 network that resides outside of the victim network, the C2 network is most likely a compromised genuine site.

For C&C interaction as like other cyber-espionage groups, Trula utilizes genuine web services. In the case of the Carbon modular backdoor framework Pastebin utilized for C&C.

” HyperStack uses named pipelines to execute remote treatment calls (RPC) from the controller to the gadget hosting the HyperStack customer. To move laterally, the implant attempts to link to another remote devices IPC$ share, either using a null session or default qualifications.”

Another version of HyperStack observed in this project that enables Trula operators to run a command via a named pipe from the controller without carrying out IPC$ enumeration activity.

In the attack against European government organization, Trula utilized a combination of remote procedure call (RPC)- based backdoors, such as HyperStack, and remote administration trojans (RATs), such as Kazuar and Carbon.