Accenture hazard researchers determined the group typical targeting European government organizations utilizing their custom tools, albeit with some updates.
The group understands for conducting different watering-hole attacks and spear-phishing methods to infect targeted victims. The group knows to be active considering that a minimum of 2014.
Trula, an advanced hacking group likewise understood as Krypton, VenomousBear, Waterbug, Uroburos, or Snakegroup targets government entities, military, energy, and nuclear research organizations.
Trula Group Attack
You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity and hacking news updates.
” HyperStack uses named pipes to perform remote procedure calls (RPC) from the controller to the gadget hosting the HyperStack client. To move laterally, the implant attempts to link to another remote devices IPC$ share, either utilizing a null session or default qualifications.”
For C&C interaction as like other cyber-espionage groups, Trula uses legitimate web services. When it comes to the Carbon modular backdoor structure Pastebin utilized for C&C.
Kazuar uses to connect with the target C2 network that resides beyond the victim network, the C2 network is most likely a jeopardized legitimate site.
The RPC backdoors are established by Trula based on the relying RPC protocol, by using these backdoors they can carry out lateral motion and take control of other devices in the regional network without counting on the C&C server.
Accenture Cyber Threat Intelligence scientists determined that one of the RPC backdoors used HyperStack functionality.
Likewise, another variation of HyperStack observed in this campaign that enables Trula operators to run a command by means of a named pipe from the controller without executing IPC$ enumeration activity.
Earlier in May Turla Group Updated ComRAT Malware to Use Gmail web Interface for Command and Control.
In the attack against European government company, Trula utilized a combination of remote treatment call (RPC)- based backdoors, such as HyperStack, and remote administration trojans (RATs), such as Kazuar and Carbon.