U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Intelligence

Detected the first samples of Penquin Turla for Linux systems

Security experts at Kaspersky Lab have detected the first strain of Turla malware that was designed to infect Linux system and so called Penquin Turla. Security Experts at Kaspersky have discovered a new variant of Turla malware which was designed to hit Linux systems and for this reason, it was called the Penquin Turla. The investigation […]

Detected the first samples of Penquin Turla for Linux systems

Security experts at Kaspersky Lab have detected the first strain of Turla malware that was designed to infect Linux system and so called Penquin Turla.

Security Experts at Kaspersky have discovered a new variant of Turla malware which was designed to hit Linux systems and for this reason, it was called the Penquin Turla.

The investigation started after that apparently a new strain of malware was uploaded to a multi-scanner service. The malware was a previously unknown piece of a government malware, Turla, considered by the experts one of the most complex APTs in the history.

Turla was detected for the first time by researchers at BAE, which believe that the malware was developed by Russian cyber specialists, probably all these instances are part of a cyber weapon program of the Government of Moscow.

The experts at BAE Systems Applied Intelligence, who discovered the Snake campaign, have linked the platform to the Uroburos rootkit, which is another malware used for cyber espionage and discovered by the German firm G Data.

“This newly found Turla component supports Linux for broader system support at victim sites. The attack tool takes us further into the set alongside the Snake rootkit and components first associated with this actor a couple years ago. We suspect that this component was running for years at a victim site, but do not have concrete data to support that statement just yet.” states blog post published on Securelist.com.

The Penquin Turla is written in C/C++ and link multiple libraries that increase its file size, the authors have stripped the code of symbol information, probably to increase the difficulty of analysis by security experts.Its functionality includes hidden network communications, arbitrary remote command execution, and remote management. Much of its code is based on public sources.

Like other variants of Turla, also the Penquin Turla implements functionalities like hidden network communications, remote control of the infected machine and arbitrary remote command execution.

The Penquin Turla doesn’t  require elevated privileges for its execution and it is hard to detect.

“It uses techniques that don’t require root access, which allows it to be more freely run on more victim hosts. Even if a regular user with limited privileges launches it, it can continue to intercept incoming packets and run incoming commands on the system.” states the post.

The experts discovered in the code of the Penquin Turla the hard coded address of the C&C used by the attackers, news-bbc.podzone[.]org, which responds to the IP address 80.248.65.183 and that is currently sinkholed by Kaspersky Lab.

The command and control mechanism used by the Penquin Turla is based on TCP/UDP packets and the C&C hostname “fits previously known Turla activity”.

The experts highlighted that this variant of Turla appears to have been put together from public sources, the attackers have integrated it adding other functionalities and leaving inactive older stubs of code from older versions of the malware.

Experts atKaspersky have discovered also another Penquin Turla sample, which apparently represents a different malware generation than the previously known instances.

 Penquin Turla

The experts have no doubts, there are many instances of Turla in the wild still unknown.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Penquin Turla, cyber espionage)

[adrotate banner=”13″]