Turla Targets Users with Fraudulent Flash Player Installer

Russia-sponsored cyber-espionage group Turla is targeting embassies and consulates in post-Soviet states with a new tool used to trick users into installing malware designed to steal sensitive information. The group is bundling its backdoor trojans with a legitimate Adobe Flash Player installer that uses Adobe’s actual URL and IP addresses. The initial attack vector is still unknown; however, once the fraudulent Flash installer is downloaded and launched, one of Turla’s backdoors is delivered to the victim and the threat actor can begin exfiltrating data. The imitation installer then runs a legitimate Flash Player application – either embedded in the installer or downloaded from a Google Drive location. The NJCCIC recommends those who may be considered high-value targets for cyber-espionage campaigns review the ESET report and scan for the IoCs provided to determine if malicious activity associated with this Turla campaign has been observed within your network. We also recommend users consider discontinuing the use of Adobe Flash Player and uninstalling it from all systems if it is not required within their environments.