Researchers have discovered a previously undocumented backdoor and document stealer, which they have linked to the Russian-speaking Turla advanced persistent threat (APT) espionage group.
The malware, which researchers call “Crutch,” is able to bypass security measures by abusing legitimate tools – including the file-sharing service Dropbox – in order to hide behind normal network traffic. Researchers said that the Crutch toolset has been designed to exfiltrate sensitive documents and other files to Dropbox accounts, which Turla operators control.
“[Crutch] was used from 2015 to, at least, early 2020,” said researchers with ESET in a Wednesday analysis. “We have seen Crutch on the network of a Ministry of Foreign Affairs in a country of the European Union, suggesting that this malware family is only used against very specific targets, as is common for many Turla tools.”