back to article Russia-backed crew's latest malware has discerning taste – when screening visitors to poisoned watering holes

Russia's infamous Turla hacking crew looks to be gearing up for a new offensive, according to researchers with ESET. The European security firm said that the fingerprints of the state-backed crew have been found all over previously unseen malware samples collected from compromised government websites in Armenia. Data from …

  1. Pascal Monett Silver badge
    FAIL

    "the C&C [command-and-control] server replies with a piece of JavaScript code"

    Which is blocked by NoScript.

    Again, NoScript to the rescue. Frankly, NoScript should be considered as a must-have, receive a Public Utility Award as well as a Keeping The Internet Safe Award, and be enshrined as a tool that defends Democracy and Privacy.

    Oh, and somebody give its author a million bucks. He deserves it.

    Meanwhile, a Flash Update ? Really ? And "high interest" people fall for that ?

    I wonder what the malware guys will do when Flash has been eradicated from the Internet. Are they going to try to push YouTube updates ?

    1. tmTM

      Re: "the C&C [command-and-control] server replies with a piece of JavaScript code"

      Probably just switch to pictures/videos of scantily clad women.

      They're hacking Armenia, not the Pentagon.

      1. Cuddles Silver badge

        Re: "the C&C [command-and-control] server replies with a piece of JavaScript code"

        Because no-one in the Pentagon would ever click on a picture of a scantily-clad Flash update?

        1. Alistair Silver badge
          Windows

          Re: "the C&C [command-and-control] server replies with a piece of JavaScript code"

          @Cuddles:

          Are flash updates ever more than scantily clad?

          1. herman Silver badge

            Re: "the C&C [command-and-control] server replies with a piece of JavaScript code"

            "Are flash updates ever more than scantily clad?" - Depends on which bits they are flashing.

    2. GnuTzu Silver badge
      Thumb Up

      Re: "the C&C [command-and-control] server replies with a piece of JavaScript code"

      "Are they going to try to push YouTube updates?"

      Short answer: of course they will... along with many other chameleon-like variations--at varying degrees of effectiveness/deadliness.

      But, getting down to fundamentals...

      I keep pushing the view that technology didn't really bring us any new scams. It only changed the delivery methods for scams, made such delivery easier, and therefore increased the rate of delivery. After all, that's what technology does. But, when we hear that there's a "new" scam, all I see is just a new variation of a repackaged scam, delivered by a slicker, faster method.

      Once we decided that users should be prompted to allow an update, we effectively created a procedural convention that could be leveraged by fakes.

      The fundamental problem is making it impossible to fake an official notification. Basic rule of security: you can make things harder, slow the rate of compromise, and mitigate the risks/costs--but you can't make fakes impossible--just costlier.

      And then, if you've bothered to read this far, there's that final unfortunate trade-off. Barriers to fakes usually make things harder on users (think TSA), so we don't build the best barriers in the hopes that users will tolerate and comply with the ones we put in place. It's a bit of a juggle.

      Flash is just one of those pervasive things that should have died long ago. It's persistence is simply easily exploited. It's a bit of low-hanging fruit that should

      1. GnuTzu Silver badge

        Re: "the C&C [command-and-control] server replies with a piece of JavaScript code"

        ...should have been eradicated long ago. But, no; this is why we have the Internet of Turds, as well as other embarrassing foolishness.

        1. Alan Brown Silver badge

          Re: "the C&C [command-and-control] server replies with a piece of JavaScript code"

          " this is why we have the Internet of Turds"

          FWIW: a _LARGE_ part of the reason we have the Internet of turds is NAT and the continued use of IPv4

          Tunnelling out your devices to some (vulnerable) website so you can remotely view security cams wouldn't be necessary in a IPv6 environment - and blocking those tunnels takes away a huge chunk of the attack face.

          if you have to implement a kludge (that kind of shit) on top of a kludge (32 bit addressing - there's history on that, it was only intended to be in service for 5 years) then expect the authors to be careless.

          I'm not saying that IPv6 cures all ills - but not behaving like the old lady who swallowed a fly goes a long way towards not having as many issues in the first place

      2. Alan Brown Silver badge

        Re: "the C&C [command-and-control] server replies with a piece of JavaScript code"

        "I keep pushing the view that technology didn't really bring us any new scams. It only changed the delivery methods for scams"

        Yup. I saw my first 419 missive in the requisite ALL CAPS coming off a telex machine in 1989 - and of course THAT'S just a variant on the "Spanish Prisoner" letters selling treasure maps with 'X marks the spot' that inspired Robert Louis Stephenson

  2. mjflory

    Re: "an Eastern European government"

    Armenia is in western Asia.

    1. herman Silver badge

      Re: "an Eastern European government"

      Indeed, but they are more European than Asian.

  3. HildyJ Silver badge
    Devil

    False flags

    "Indeed, last year the crew was found trying to throw investigators off its trail by disguising one of its intelligence operations as an Iranian hacking campaign."

    And I bet the US bought it.

    1. JCitizen
      Joke

      Re: False flags

      No the Americans who are Democrats would be convinced that even a real Iranian attack was the fault of the Russians. Everything is the fault of the Russians now, and their orange minion in the White House. Haven't you been reading the news?

  4. Mike 16 Silver badge

    That image

    Whit Diffie? (Can't be sure without the rest of his head)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020