Two days ago, I have started to analyse an unusual Turla dropper which adds an extra layer to the already known dropper and which pretends to be compiled in 2013 according to its time stamp. However, some of its final payloads have a newer compilation time stamp from 2014, leading to the assumption that this new dropper's time stamp is faked. Another indication that this new dropper is not from 2013 is the fact that it was first submitted to Virustotal in March 2016.
This new dropper is disguised as a legit
JPEGView version, since it mixes some of the code with its own. Also, the file description corresponds to an old version of this image viewer. Its payload - an old Turla dropper from 2014 - is split up in 3 PNG files inside the resource section. So, it uses the same method for hiding its payload inside PNG files as the
recently discovered ZeroAccess 3 dropper, although the implementation is a bit different. One can think that this new dropper seems to be inspired by ZeroAccess 3, but I don't think this is from the people behind Turla. Why should somebody disguise on old dropper inside an image viewer?
Recently, someone added an
old Turla dropper which was crypted with VMProtect and an
old Wipbot sample which was crypted with Enigma Protector. The latter when
decrypted contains a resource named "TURLA" which would be quite unusual if it should be from the people behind Turla. It looks more like someone is experimenting with some old Turla samples to make them undetected to some security software.
At the end of 2014, CrySys Lab released two
blog posts in which they write about testing the detection of APT tools by available security solutions. They also released a test tool named
BAB0 which hides a payload inside a PNG file similar to ZeroAccess 3 dropper (ZA inspired by this?) and decrypts it with help of Javascript code. This new Turla dropper could be the advancement of this BAB0 tool created for detection purposes, but who knows... On the other side, there were some Turla samples uploaded to Virustotal recently with a compilation time stamp from 2016 (if not faked):
https://virustotal.com/en/file/2dc0f9e0 ... /analysis/
https://virustotal.com/en/file/9184be43 ... /analysis/
https://virustotal.com/en/file/af0e455f ... /analysis/
https://virustotal.com/en/file/d581b95b ... /analysis/
The decrypted old Turla dropper has a compilation time stamp from August 2014, so shortly before the
latest known dropper (I have mistyped the year, it should be 2014). What is unusual about this version is that it has both versions (x86/x64) of the vulnerable VirtualBox driver on board and loads the appropriate file according to the used Windows platform. A possible explanation why they have done this could be that since Windows 8 also the 32-bit version requires kernelmode drivers
to be signed if Secure Boot is enabled.
New Turla dropper:
https://virustotal.com/en/file/b5228539 ... /analysis/
New Turla dropper decrypted (old dropper):
https://virustotal.com/en/file/f697aa0b ... 459692191/
Payloads of old dropper attached.
That's all so far
