Russian APTs And WhiteBear Related Activity

The majority of victims of WhiteBear are located in Europe; with the main focus being on South Eastern Europe and former Warsaw pact members. The targeting has the hallmarks of previous Turla activity and includes the following characteristics:
• Targets embassies and government ministries.
• Uses spear phishing to deliver a first stage backdoor.
• A second stage backdoor is put in place
• The second stage backdoor receives encrypted instructions via a C&C server by means of a compromised website.

WhiteBear is extremely sophisticated and is believed to change strings within its code. It randomises markers an also wipes files securely in order to avoid detection.

Turla have traditionally targeted diplomatic, government, military, nuclear research and other academic organisations in the USA, Europe and former Soviet sphere of influence nations. Victims are infected via spear phishing emails and watering-hole attacks, which deliver Wipbot or Tavdig malware and then delivers Turla (aka Uroburos, Carbon, Snake) to the victim.

The rootkit hides and creates a hidden and encrypted file system to store data and tools, which are then used to access systems, store information and steal passwords. The actors are believed to have utilised a number of command and control servers worldwide during their campaigns.