Turla Backdoor Deployed in Attacks Against Worldwide Targets


Turla Backdoor Deployed in Attacks Against Worldwide Targets (May 7, 2019)

Researchers have identified a back, attributed to the threat group “Turla,” that is targeting Microsoft Exchange mail servers. Turla is a Russian-based cyberespionage group, known for attacking a wide range of targets located in over 40 countries. The backdoor has the ability to extract data, read emails,, and send emails. Using the Exchange Server Transport Agent, the malware is able to appear legitimate and go undetected for a long period of time. The backdoor is sent to victims in the form of a JPG or PDF attachment, with the commands encoded using steganography. The use of the Exchange Server Transport Agent makes it more difficult to remove the malware as deleting the infected files will prevent users in the organization from sending and receiving emails.

Recommendation: Emails attachments sent from unknown senders should be viewed with the utmost scrutiny and the attachments should be avoided and properly reported to appropriate personnel. Users are advised to disable the malicious Transport Agent cmdlets added to the Mail Exchange server, to remove the malware.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.