Russian hacking group uses Dropbox to store malware-stolen data

Russian hacking group uses Dropbox to store malware-stolen data

Russian-backed hacking group Turla has used a previously undocumented malware toolset to deploy backdoors and steal sensitive documents in targeted cyber-espionage campaigns directed at high-profile targets such as the Ministry of Foreign Affairs of European Union countries.

The previously unknown malware framework, named Crutch by its authors, was used in campaigns spanning from 2015 to at least early 2020.

Turla’s Crutch malware was designed to help harvest and exfiltrate sensitive documents and various other files of interest to Dropbox accounts controlled by the Russian hacking group.

“The sophistication of the attacks and technical details of the discovery further strengthen the perception that the Turla group has considerable resources to operate such a large and diverse arsenal,” ESET researcher Matthieu Faou said in a report published today and shared in advance with BleepingComputer.

“Furthermore, Crutch is able to bypass some security layers by abusing legitimate infrastructure — here, Dropbox — in order to blend into normal network traffic while exfiltrating stolen documents and receiving commands from its operators.”

Clear links to other Turla malware

ESET researchers were able to link Crutch to the Russian Turla advanced persistent threat (APT) group based on similarities with the second-stage Gazer (aka WhiteBear) backdoor the threat actors used between 2016 and 2017.

The use of the same RC4 key for decrypting payloads, identical filenames while being dropped on the same compromised machine in September 2017, and almost identical PDB paths are just a few of the strong links between the two observed by ESET.

“Given these elements and that Turla malware families are not known to be shared among different groups, we believe that Crutch is a malware family that is part of the Turla arsenal,” Faou added.

Also, based on the timestamps of over 500 ZIP archives containing stolen documents and uploaded to Turla’s Dropbox accounts between October 2018 and July 2019, the working hours of Crutch’s operators line up with the Russian UTC+3 time zone.

Active hours
Active hours (ESET)

Dropbox abused as storage for stolen data

Turla delivered Crutch as a second stage backdoor on already…