ESET specialists spoke about the previously undocumented Crutch backdoor, which was used in 2015-2020 attacks against specific targets.
According to experts, the malware was used by the “advanced” hacker group Turla (also known as Venomous Bear), known for its aggressive attacks on governments, embassies and military organizations using targeted phishing and techniques known as watering holes. With Crutch, hackers have stolen confidential documents and other files and saved them to their Dropbox accounts.
In particular, the backdoor bookmarks were secretly installed on several computers belonging to the Ministry of Foreign Affairs of one of the EU countries.
Crutch is delivered to the target system either through the Skipper package (first stage tab), previously also linked to Turla, or through the PowerShell Empire post-operational agent. At the same time, cybercriminals used two versions of the backdoor – one before mid-2019 and the second after. To receive commands and download stolen files, the first version of the backdoor connected to the embedded Dropbox accounts using a legitimate HTTP API. The second option uses the new function of downloading files stolen from local and removable hard drives to Dropbox using the Windows Wget utility instead of configuring.
Crutch is able to bypass certain layers of security by abusing legitimate infrastructure (in this case, Dropbox) to merge with regular network traffic, while stealing documents and receiving commands from its operators.
“The complexity of the attacks and the technical details of our discovery further reinforce the notion that Turla has significant resources to handle such a large and varied arsenal,” said ESET researcher Matthieu Faou.