Kaspersky has recently witnessed a new version of the complex ‘Turla/Uroburos’ APT malware, which first appeared early in 2014. This time, the malware was uploaded to a multi-scanner service. It was recognized as a variant of the Turla malware by using heuristic analysis.
So far, every Turla sample discovered was designed for the x86/x64 versions of Windows – this finding, therefore, was of high interest to Kaspersky’s researchers, as it’s the first Turla designed for Linux seen in the wild. “We suspect that this component was running for years at a victim site, but do not have concrete data to support that statement just yet,” claims the SecureList blog post.
Linux Turla’s size is greatly increased compared to the previous observed versions, because the module is a C/C++ executable statically linked against multiple libraries. “Its functionality includes hidden network communications, arbitrary remote command execution, and remote management. Much of its code is based on public sources.”
Another interesting fact about Turla is that is doesn’t require elevated (root) privileges to run arbitrary remote commands – this allows it to run more freely on the target systems. “Even if a regular user with limited privileges launches it, it can continue to intercept incoming packets and run incoming commands on the system.”
Because this part of Turla was discovered so late after the initial Windows-targeting variants, we are left to wonder: just how many other parts/variants of Turla exist?