Turla Malware Targets Universities, Military & Intelligence Linux Machines

According to recently revealed research from the security scientists at Kaspersky Lab, a new form of Linux malware has been discovered, dubbed Turla, which closely mimics many of the same core functions as the the open source operating system in order to stay stealthy and avoid persistent forms of detection.


Photo: Benoit Daoust / Shutterstock

The Turla malware is a collective project that’s been nurtured and strengthened by dozens of different underground hacking rings over the past ten years. It’s taken on thousands of separate code signatures that made it versatile for everything from low-level personal financial account hacks, all the way up to high security breaches at military base networks in 45 different countries around the globe.

The most recent campaign, known as Epic Turla, threw Kaspersky for a loop after its initial analysis due to the fact that until recently, they’d never seen a build in its strain that was fully functional on both Linux and Windows simultaneously.

“This Turla cd00r-based malware maintains stealth without requiring elevated privileges while running arbitrary remote commands. It can’t be discovered via netstat, a commonly used administrative tool. It uses techniques that don’t require root access, which allows it to be more freely run on more victim hosts. Even if a regular user with limited privileges launches it, it can continue to intercept incoming packets and run incoming commands on the system,” researchers noted.

The trojan has proven itself to be particularly effective as an evasive malware, capable of rapidly shifting its purpose and adapting on the fly to standard take down attempts that system administrators might use such as the netstat traffic monitor, as well as fooling most major anti-virus suites into thinking the program is a legitimately downloaded package.

“The Linux Turla module is a C/C++ executable statically linked against multiple libraries, greatly increasing its file size.

It was stripped of symbol information, more likely intended to increase analysis effort than to decrease file size. Its functionality includes hidden network communications, arbitrary remote command execution, and remote management. Much of its code is based on public sources,” Kaspersky’s Kurt Baumgartner and Costin Raiu explained.

Now that Turla has morphed from a Windows-only build into a Linux-compatible crack, Kaspersky says they’re worried that its inherently versatile nature could make it exponentially more dangerous to deal with, and all that much harder to track.

They suggest that although they were able to out two different versions of the Linux variation, they believe the code could have been active and traversing the globe for up to two years before they finally came across it almost by accident.

There’s been some speculation that Turla could have been behind a major cyberattack that came close to crippling military systems in the United States during 2008, though they caution that there isn’t enough solid evidence which would allow them to make a hard call on whether the creators of Turla had anything to do with the assault itself outside of providing the baseline program used to launch it in the first place.