In a significant revelation, cybersecurity researchers have exposed a sophisticated backdoor and document-stealing malware that operated undetected from 2015 to early 2020. Dubbed “Crutch” by ESET, this malware has been linked to the notorious Turla group, a Russia-based advanced persistent threat (APT) known for targeting governments, embassies, and military institutions through a variety of spear-phishing and watering hole tactics.
The Crutch malware specifically targeted systems within the Ministry of Foreign Affairs of an undisclosed European Union member state. ESET’s analysis indicates that this operation aligns with Turla’s ongoing focus on espionage, further underscored by its connection to the earlier Turla malware, Gazer.
Crutch typically infiltrated systems through either the Skipper suite, an established first-stage malware, or via the post-exploitation framework known as PowerShell Empire. Researchers noted two distinct versions of Crutch, emerging before and after mid-2019, highlighting the adaptability of the attackers.
The malware’s design is particularly troubling as it utilizes Dropbox accounts controlled by Turla operators to stealthily exfiltrate sensitive documents. This capability enables it to blend seamlessly into regular network traffic, complicating detection efforts. The most recent iteration, termed “Crutch v4,” introduces enhanced functionality, allowing the automated uploading of files from local and removable drives using the Windows utility Wget.
ESET researcher Matthieu Faou emphasized the resourcefulness of the Turla group, which demonstrates a capability to deploy a diverse array of tools effectively. The sophisticated nature of Crutch suggests that it has been engineered to bypass several layers of security, leveraging legitimate infrastructures like Dropbox to facilitate both document theft and command retrieval.
This incident underscores the growing cyber risks facing sensitive governmental operations, particularly those located in EU jurisdictions. The potential tactics employed by Turla during this campaign likely align with several stages of the MITRE ATT&CK framework, including initial access through spear-phishing and the use of embedded backdoors for persistent control. The operational characteristics of Crutch suggest advanced techniques for privilege escalation and data exfiltration.
In the rapidly evolving landscape of cybersecurity threats, the Crutch malware serves as a stark reminder of the persistent dangers organizations face. With an increasing reliance on digital communication, maintaining robust security measures will be paramount for entities in both the public and private sectors.
