Trula Hacker Group Uses Custom Malware & Legacy Tools to Attack Government Organizations

The group understands for conducting different spear-phishing methods and watering-hole attacks to contaminate targeted victims. The group knows to be active considering that at least 2014.

Accenture danger scientists recognized the group typical targeting European government companies using their custom tools, albeit with some updates.

Trula, a sophisticated hacking group likewise called Krypton, VenomousBear, Waterbug, Uroburos, or Snakegroup targets federal government entities, military, energy, and nuclear research organizations.

Trula Group Attack

Accenture Cyber Threat Intelligence scientists identified that a person of the RPC backdoors utilized HyperStack functionality.

Kazuar utilizes to get in touch with the target C2 network that resides beyond the victim network, the C2 network is most likely a compromised legitimate website.

For C&C interaction as like other cyber-espionage groups, Trula utilizes legitimate web services. In the case of the Carbon modular backdoor structure Pastebin utilized for C&C.

You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity and hacking news updates.

Likewise, another variation of HyperStack observed in this project that allows Trula operators to run a command via a called pipe from the controller without executing IPC$ enumeration activity.

The RPC backdoors are developed by Trula based upon the relying RPC protocol, by utilizing these backdoors they can carry out lateral movement and take control of other makers in the local network without counting on the C&C server.

In the attack versus European federal government organization, Trula utilized a mix of remote treatment call (RPC)- based backdoors, such as HyperStack, and remote administration trojans (RATs), such as Kazuar and Carbon.

Previously in May Turla Group Updated ComRAT Malware to Use Gmail web Interface for Command and Control.

” HyperStack utilizes named pipes to execute remote treatment calls (RPC) from the controller to the gadget hosting the HyperStack customer. To move laterally, the implant attempts to connect to another remote gadgets IPC$ share, either utilizing a null session or default credentials.”