Epic Snake ‘Turla’ APT version targeting Linux machines

Epic  Snake ‘Turla’ APT upgraded version targeting Linux machines

The Epic snake Turla spyware program which was detected in August, 2014 has been upgraded by its handlers to attack Linux based systems.  This was revealed by Kaspersky researcher,  Kurt Baumgartner in a blogpost.

The Turla spyware trojan which was discovered in August 2014, was found to be operating and targeting governments and militaries worldwide since 2008. In fact Turla and its precursor called Epic were so powerful and stealthy that United States government had created the US Cyber Command after its discovery.  Turla had been targeting municipal governments, embassies, militaries and other high-value targets worldwide, with particular concentrations in the Middle East and Europe.

At that time Turla was found to have infected more than 500 victim IP addresses in 45 countries. The Turla APT malware works by establishing a backdoor connection to the attackers through which system information is sent in order to determine which exploits are fed to the compromised machine and ultimately where stolen data is exfiltrated.  However at that time only Windows machines were found infected.

Now Kaspersky has found a new sample of Turla APT which they say is upgraded version to include Linux.

The newly discovered Turla sample is unusual in the fact that it’s the first Turla sample targeting the Linux operating system that we have discovered. This newly found Turla component supports Linux for broader system support at victim sites. The attack tool takes us further into the set alongside the Snake rootkit and components first associated with this actor a couple years ago. We suspect that this component was running for years at a victim site, but do not have concrete data to support that statement just yet.

Baumgartner stated that the Linux Turla module is a C/C++ executable statically linked against multiple libraries, greatly increasing its file size. Like its older sibling, its functionality gives utmost importance to hidden network communications, arbitrary remote command execution, and remote management.  Kaspersky says that much of the latest Turla version code is derived from public sources and it has been stripped in size to make it leaner and meaner.

Turla APT has been long suspected to be operated by a nation state rather than any cyber criminal gang.  Even today the extent of its infections are not clear to authorities or the security researchers though it lead to a 14 month cleanup operation and creation of the US Cyber Command.  G-Data has long held that the nation state behind Turla APT is Russia, which Russia has vehemently denied time and again.