Turla APT Group Now Leverages Metasploit in Operations

The Russia-linked advanced persistent threat (APT) group “Turla” is now leveraging off-the-shelf tools in their cyber-espionage operations. The group, which has been active since 2007, is known for targeting private businesses and government organizations, historically targeting the US Department of State and the US Central Command. Recent Turla operations leverage Metasploit, the popular open source exploitation framework, to spread the Mosquito backdoor trojan. Beginning in March, the campaign utilizes a fake Adobe Flash Player installer, a tactic used in previous campaigns, to execute a Metasploit shellcode and download a legitimate Flash installer. The Metasploit shellcode downloads Meterpreter, a payload that provides the threat actor control of the compromised system, which then downloads the Mosquito backdoor. The NJCCIC recommends reviewing the ESET report for additional details on recent Turla activity and scanning networks for the associated IOCs provided in the report. If Turla activity is suspected, isolate the affected system(s) from the network immediately and perform a full system scan.