The National Cyber Security Centre (NCSC) has published new threat intelligence on the Turla group, a cyber threat group that targets organizations in the UK.
Turla uses the Neuron and Nautilus malicious tools designed to operate on Windows systems and target primarily mail and web servers. The malware tools are used to maintain persistent network access and compromise networks in order to collect intelligence.
In the new advisory update, NCSC has spotted a new version of Neuron that has evaded previous detection methods. The Neuron malware platform is also designed to steal sensitive data, act as a gateway for internal network operations and is used to conduct onward attacks against other organizations.
A summary of the changes from the NCSC report include:
- The .NET payload is loaded in-memory as opposed to being dropped to disk
- Communications have been modified to avoid detection
- Some encryption methods have replaced RC4 with AES
- The modifications are sufficient to avoid previously released signatures & IOCs.