Russia’s Turla group goes trolling with code labeled “TrumpTower”



Written by

It’s a common practice: Researchers digging through malware find legitimate clues that point to its authors or data that are false flags meant to throw researchers off the right path.

In the case of the Turla hacking group, which is reportedly tied to Russia’s FSB intelligence service, it is unclear why the group decided to name one of its code strings “TrumpTower” or another “RocketMan!” – presumably a reference to U.S. President Donald Trump’s nickname for North Korean dictator Kim Jong Un.

Regardless of whether or not Turla was trolling, it’s clear to researchers from cybersecurity company Kaspersky that the new code was built for an ongoing hacking campaign aimed at a narrow set of unnamed government organizations. To deliver the malicious code to its targets, Turla used legitimate software downloaders, such as tools to evade internet censorship, that were infected with a “dropper” to install the malware.

While not saying where the targeting occurred, Kaspersky researchers on Monday published a set of Turla attack data meant to warn the cybersecurity community about the activity. That included a malware module that was used to deliver a JavaScript trojan long associated with Turla. The hackers are also using several compromised WordPress websites to communicate with their malware, Kaspersky researchers said.

Despite the recognizable names of their code strings, Turla has taken steps to keep its latest activity from being detected, the researchers said. For example, the attackers used a Windows system registry to store encrypted data that the malware could use at a later time.

Turla has been active in the last year and half, targeting at least 13 organizations across 10 countries, Symantec, another cybersecurity, said last month.

“[Turla] still follows a high-profile political agenda and now developers have broadened their arsenal of tools and spreading techniques,” a Kaspersky researcher told CyberScoop.

“The campaign was targeted, so there are only a few targets,” the researcher added, declining to disclose details of where the targeting occurred.

-In this Story-

espionage, Kaspersky, Russia, security research, Turla