Crutch Trojan

First seen in 2015, Crutch is a backdoor and infostealing trojan made by the Turla APT group for attacks against government foreign affairs organisations in the EU.

Threat ID:: CC-3689
Category:: Trojan, Backdoor, Spyware
Threat Severity:: Medium
Threat Vector:: Download, Email, Hacking tool
Published:: 3 December 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

First seen in 2015, Crutch is a backdoor and infostealing trojan made by the Turla APT group for attacks against government foreign affairs organisations in the EU.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

Crutch is a sophisticated information stealing trojan and backdoor created by the Turla advanced persistent threat group for use in their own campaigns. At the time of publication, it has only been seen in highly targeted attacks against government organisations within the European Union.

Believed to have been first observed in 2015, Crutch has only recently been identified as distinct from Turla's other tools, Gazer and WhiteBear.

Delivery

As with most Turla-developed tools, Crutch is typically delivered as a secondary payload in much larger campaigns. Older variants were distributed by first-stage loaders or implants; whilst newer variants use the Cobalt Strike and Empire post-exploitation toolsets with initial scripts sent via phishing emails or file repositories.

Activities

Once installed, Crutch will connect to a Turla-controlled Dropbox location where it stores extracted information and receives further commands. Some variants maintain Github and OneDrive recovery C2 locations. It then attempts to gain persistence by performing DLL hijacking on Chrome, Firefox, and OneDrive.

A secondary module is then downloaded and installed to monitor and extract files from removable drives. These are then encrypted in a RAR file before being uploaded to the Dropbox location.

Newer variants of Crutch appear to not be able to accept commands from Turla operators once installed, but are able to extract sensitive files from networked drives automatically.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

Domains

ethdns.mywire[.]org
highcolumn.webredirect[.]org
hotspot.accesscam[.]org
theguardian.webredirect[.]org

URLs

https://raw.githubusercontent[.]com/ksRD18pro/ksRD18/master/ntk.tmp

Host indicators

Filepaths

%LOCALAPPDATA%\Microsoft\OneDrive\dwmapi.dll
C:\Intel\~csrss.exe
C:\Intel\~intel_upd.exe
C:\Intel\lang.nls
C:\Intel\outllib.dll
C:\Program Files (x86)\Google\Chrome\Application\dwmapi.dll
C:\Program Files (x86)\Mozilla Firefox\rasadhlp.dll

SHA1 hashes

2FABCF0FCE7F733F45E73B432F413E564B92D651
778AA3A58F5C76E537B5FE287912CC53469A6078
A010D5449D29A1916827FDB443E3C84C405CB2A5
A4AFF23B9A58B598524A71F09AA67994083A9C83

Definitive source of threat updates

Last edited: 3 December 2020 3:05 pm