Turla group bypass malware detection
Turla, a notorious and infamous espionage group, also known as snake; a group known for developing and distributing complex malware, have recently started using *Powershell scripts in a way that allow them to bypass the detection of their malware by Antivirus software.
The group is thought to have been around since 2008, when US military was successfully breached. This is quite a normal target for the Turla group. Typically, it is diplomatic targets that the group aims for, not only Eastern European governments but for Western European and middle eastern governments too.
The significance of the new way of attacks, as I have mentioned, helps aid evading detection by AV software and, perhaps, more importantly, can persist on the system, as they regularly load into memory.
In 2018, it was predicted that Turla would use more generic tools – that is the tools, system tools, that are already on the system. Powershell usage is a manifestation of that prediction. Turla frequently uses open-source tools, modified to suit their purposes. That is not to say they have stopped using their own custom tools, however. It does mean, though, that it is possible to idenify differnetn groups of activities.
Be aware, though, I have said their targets are generally governments, that does not mean their attack on a government could not go through a third party to mask their attack. That third party could be you.
*PowerShell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language. Initially a Windows component only, known as Windows PowerShell, it was made open-source and cross-platform on 18 August 2016 with the introduction of PowerShell Core