Turla Backdoor, and Dropbox

ESET researchers have
recently released information on the discovery of a new backdoor dubbed Crutch that uses Dropbox to exfiltrate
stolen files. Crutch has been seen as
early as 2015 and is believed to be a second-stage backdoor that is deployed
after a victim has already been compromised. Researchers have seen the Skipper implant and the PowerShell Empire post-exploitation
agent used as initial infection vectors. Until July 2019, Crutch v3 used an architecture based on
manual input of commands through Dropbox that are then run on the victim’s
machine. It included a monitor for removable drives that looked for files with certain extensions, such as .pdf, .rtf, .doc, and .docx,
then compressed and staged the
files for exfiltration. These files were then uploaded to a hard-coded Dropbox account controlled
by the attackers. Persistence was maintained by using
hijacked browser processes in Chrome, Firefox,
or OneDrive. In one
instance, the Crutch operator even left a little taunt
for the victim,
running the command “mkdir %temp%Illbeback”.

In July of 2019, researchers discovered a newer version of Crutch that was auto- mated rather than
having the operator run commands manually. The

persistence mechanism changed to using a Microsoft
Outlook component, Finder, 
rather than the browser processes. The drive monitor also got a makeover
and could now monitor local drives as well as removable drives. Interesting
files are still compressed, encrypted, and staged for exfiltration. Instead of
the operator manually uploading them to Dropbox, however,
Crutch v4 now uploads the files
automatically using the Windows version of the wget

ESET researchers
have attributed Crutch to the
Russians peaking APT group Turla.
They discovered several strong links between a 2016 version of the Crutch dropper and a Turla tool called Gazer. For instance,
both samples were found on the same machine within
a 5-day period, PDB paths were almost identical, and they both used the exact
same RC4 key to decrypt their payloads.

“Given these
elements and that Turla malware
families are not known to be shared among different groups, we believe that Crutch is a malware family that is part
of the Turla arsenal,” says the ESET
release. Crutch was also discovered
on the network of the Ministry of Foreign Affairs in an undisclosed European
Union country, which also aligns with Turla’s
previous strategies targeting gov- ernments, embassies, and military


Turla’s ‘Crutch’ Backdoor Leverages Dropbox in Espionage Attacks | Threatpost

Turla Crutch: Keeping the “back door” open | WeLiveSecurity

Experts Uncover ‘Crutch’ Russian Malware Used in APT Attacks for 5 Years (thehackernews.com)