Trula Hacker Group Uses Custom Malware & Legacy Tools to Attack Government Organizations

Accenture hazard researchers determined the group typical targeting European federal government organizations using their customized tools, albeit with some updates.

The group knows for carrying out numerous watering-hole attacks and spear-phishing methods to infect targeted victims. The group understands to be active since at least 2014.

Trula, an advanced hacking group likewise known as Krypton, VenomousBear, Waterbug, Uroburos, or Snakegroup targets federal government entities, military, energy, and nuclear research study organizations.

Trula Group Attack

Accenture Cyber Threat Intelligence researchers identified that a person of the RPC backdoors used HyperStack functionality.

For C&C communication as like other cyber-espionage groups, Trula uses legitimate web services. In the case of the Carbon modular backdoor structure Pastebin utilized for C&C.

The RPC backdoors are developed by Trula based on the relying RPC protocol, by utilizing these backdoors they can perform lateral motion and take control of other makers in the local network without counting on the C&C server.

Earlier in May Turla Group Updated ComRAT Malware to Use Gmail web Interface for Command and Control.

Likewise, another version of HyperStack observed in this project that enables Trula operators to run a command via a called pipeline from the controller without implementing IPC$ enumeration activity.

Kazuar uses to connect with the target C2 network that lives outside of the victim network, the C2 network is most likely a jeopardized legitimate website.

In the attack against European government organization, Trula used a combination of remote treatment call (RPC)- based backdoors, such as HyperStack, and remote administration trojans (RATs), such as Kazuar and Carbon.

You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity and hacking news updates.

” HyperStack uses called pipes to carry out remote procedure calls (RPC) from the controller to the gadget hosting the HyperStack customer. To move laterally, the implant attempts to link to another remote devices IPC$ share, either utilizing a null session or default credentials.”