Trula Hacker Group Uses Custom Malware & Legacy Tools to Attack Government Organizations

The group knows for performing different watering-hole attacks and spear-phishing strategies to infect targeted victims. The group understands to be active considering that at least 2014.

Trula, a sophisticated hacking group likewise referred to as Krypton, VenomousBear, Waterbug, Uroburos, or Snakegroup targets federal government entities, military, energy, and nuclear research companies.

Accenture hazard scientists recognized the group typical targeting European government organizations utilizing their customized tools, albeit with some updates.

Trula Group Attack

Accenture Cyber Threat Intelligence scientists identified that one of the RPC backdoors used HyperStack performance.

Earlier in May Turla Group Updated ComRAT Malware to Use Gmail web Interface for Command and Control.

The RPC backdoors are established by Trula based on the relying RPC procedure, by utilizing these backdoors they can perform lateral movement and take control of other makers in the local network without depending on the C&C server.

Kazuar utilizes to connect with the target C2 network that lives outside of the victim network, the C2 network is most likely a jeopardized legitimate website.

For C&C communication as like other cyber-espionage groups, Trula uses genuine web services. When it comes to the Carbon modular backdoor framework Pastebin utilized for C&C.

” HyperStack uses named pipelines to perform remote procedure calls (RPC) from the controller to the device hosting the HyperStack client. To move laterally, the implant tries to connect to another remote gadgets IPC$ share, either utilizing a null session or default credentials.”

You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity and hacking news updates.

Likewise, another version of HyperStack observed in this campaign that permits Trula operators to run a command through a named pipe from the controller without carrying out IPC$ enumeration activity.

In the attack versus European federal government company, Trula utilized a combination of remote procedure call (RPC)- based backdoors, such as HyperStack, and remote administration trojans (RATs), such as Kazuar and Carbon.