Turla has introduced a new wrapper for the Kazuar backdoor, nicknamed Pelmeni, used in targeted campaigns to deliver a memory-resident payload. The analysis details the infection chain, DLL side-loading with spoofed libraries, in-memory decryption/execution of a .NET payload, and a new socket-based exfiltration method along with changed log folders. #Kazuar #Turla #PelmeniWrapper #SkyTel #NVIDIAGeForceExperience #vncutil #ASUS
Keypoints
- Turla has deployed a new Kazuar wrapper, dubbed Pelmeni, in a targeted infection chain (Sample #6) used in Turla campaigns.
- The wrapper uses Sideload DLL technique, spoofing legitimate libraries such as SkyTel, NVIDIA GeForce Experience, vncutil, and ASUS to hide malware.
- Pelmeni loads and continues the infection chain after execution of the legitimate application by loading a malicious DLL (Pelmeni Wrapper).
- The first entry path reveals multiple stages, including decryption/exports, thread management, and redirection to a new execution flow, culminating in in-memory execution of a .NET payload.
- The analyzed .NET binary is obfuscated/encrypted with a substitution cipher similar to Kazuar, implying targeted customization and evasion.
- Exfiltration is performed via a socket-based protocol, and logs are stored in a variant log folder different from previous Kazuar samples.
MITRE Techniques
- [T1574.001] DLL Search/Load Hijacking – The actors use the Sideload DLL technique, spoofing legitimate libraries related to SkyTel, NVIDIA GeForce Experience, vncutil or ASUS. “the actors make use of the Sideload DLL technique, spoofing legitimate libraries related to “SkyTel”, “NVIDIA GeForce Experience”, “vncutil” or “ASUS”.”
- [T1055.003] Process Injection – Thread Execution – The first function “Gcqiprj” … creates a thread that will continue with the execution of the wrapper. “CreateThread(), it creates a thread that will continue with the execution of the wrapper.”
- [T1027] Obfuscated/Encrypted Files and Information – The DLL content is encrypted and the most interesting part is the name of exported functions that appear to be randomly generated. “The DLL does not provide much information since most of its content is encrypted. The most interesting thing is the name of its exported functions … appear to be randomly generated.”
- [T1041] Exfiltration Over C2 Channel – Exfiltration of data using socket. “exfiltration of data using socket.”
Indicators of Compromise
- [URL] C2 / command-and-control endpoints – https://altavista[.]rs/wp-includes/ID3/PerceptionSimulation/, https://m6front.sam-maintenance[.]com/wp-includes/customize/assembly/, https://bibliotecaunicef[.]uy/catalog/notices/tags/
- [IP/Host] Local C2/WebSocket – wss://127.0.0.1:20089/Test
- [File Hash] Sample #6 (Pelmeni Wrapper) – 15f5e4808549ff67a79f84e23659da912ebbc1dc7c7b100c12b72384a27e412a, and Relapsed.exe: 7ae9768b79a6b75f814a1b7afaf841b1a4b7ba803b3d806823e81d24a84fd078
- [File Hash] Sample #5 (asio.dll) – cccd6327dd5beee19cc3744b40f954c84ab016564b896c257f6871043a21cf0a
- [File Hash] Sample #5 (Sobroutine.exe) – 6559d6cb2976334776ded3e7f8ce781c0e6fbaa69edbb0f16b902d06b5d8d8d9
- [File Hash] Sample #3 (SkyTelLOC.dll) – 00256c7fd9a36c6a4805c467b15b3a72dbac2e6dbd12abe7d768f20ce6c8f09f
Read more: https://lab52.io/blog/pelmeni-wrapper-new-wrapper-of-kazuar-turla-backdoor/