Three New Pacifier APT Components Point to Russian-Linked Turla Group

In 2016, Bitdefender uncovered a new advanced persistent threat dubbed Pacifier, targeting government institutions starting in 2014. Using malicious .doc documents and .zip files distributed via spear phishing e-mails, attackers would lure victims with invitations to social functions or conferences into executing the attachments. Our previous analysis of the Pacifier components revealed that it’s capable of dropping multi-stage backdoors and that the analyzed first stage dropper is also known as “Skipper” by other security vendors.

The Turla group is known for its variety of APT attack tactics ranging from spear phishing to watering hole campaigns aimed at selectively infecting victims. While the previous sample analyzed by Bitdefender researchers dropped a Trojan using an infected attachment, ESET researchers uncovered a watering hole campaign that instructed victims to install a JavaScript backdoor presented as a Firefox extension. While implemented differently, there were striking similarities to the way the Turla group implements functionalities.

Our new whitepaper covers an in-depth analysis of the three new backdoor modules, as well a short description of their capabilities and features.

Download the whitepaper