Trula Hacker Group Uses Custom Malware & Legacy Tools to Attack Government Organizations

Accenture threat scientists recognized the group normal targeting European federal government organizations using their custom tools, albeit with some updates.

Trula, an advanced hacking group also understood as Krypton, VenomousBear, Waterbug, Uroburos, or Snakegroup targets government entities, military, energy, and nuclear research companies.

The group understands for carrying out different spear-phishing methods and watering-hole attacks to contaminate targeted victims. The group knows to be active given that at least 2014.

Trula Group Attack

The RPC backdoors are developed by Trula based on the relying RPC protocol, by using these backdoors they can perform lateral movement and take control of other devices in the local network without counting on the C&C server.

Another version of HyperStack observed in this project that permits Trula operators to run a command through a named pipeline from the controller without implementing IPC$ enumeration activity.

Accenture Cyber Threat Intelligence researchers determined that one of the RPC backdoors used HyperStack performance.

Earlier in May Turla Group Updated ComRAT Malware to Use Gmail web Interface for Command and Control.

Kazuar utilizes to connect with the target C2 network that resides beyond the victim network, the C2 network is probably a jeopardized legitimate website.

For C&C communication as like other cyber-espionage groups, Trula uses genuine web services. In the case of the Carbon modular backdoor structure Pastebin used for C&C.

You can follow us on Linkedin, Twitter, Facebook for day-to-day Cybersecurity and hacking news updates.

” HyperStack uses named pipelines to perform remote procedure calls (RPC) from the controller to the device hosting the HyperStack client. To move laterally, the implant attempts to link to another remote devices IPC$ share, either utilizing a null session or default qualifications.”

In the attack against European government company, Trula used a mix of remote procedure call (RPC)- based backdoors, such as HyperStack, and remote administration trojans (RATs), such as Kazuar and Carbon.