ESET researchers have recently released information on the discovery of a new backdoor dubbed Crutch that uses Dropbox to exfiltrate stolen files. Crutch has been seen as early as 2015 and is believed to be a second-stage backdoor that is deployed after a victim has already been compromised. Researchers have seen the Skipper implant and the PowerShell Empire post-exploitation agent used as initial infection vectors. Until July 2019, Crutch v3 used an architecture based on manual input of commands through Dropbox that are then run on the victim’s machine. It included a monitor for removable drives that looked for files with certain extensions, such as .pdf, .rtf, .doc, and .docx,then compressed and staged the files for exfiltration. These files were then uploaded to a hard-coded Dropbox account controlled by the attackers. Persistence was maintained by usinghijacked browser processes in Chrome, Firefox,or OneDrive. In oneinstance, the Crutch operator even left a little tauntfor the victim,running the command “mkdir %temp%\Illbeback”.
In July of 2019, researchers discovered a newer version of Crutch that was auto- mated rather than having the operator run commands manually. Thepersistence mechanism changed to using a Microsoft Outlook component, Finder, rather than the browser processes. The drive monitor also got a makeover and could now monitor local drives as well as removable drives. Interesting files are still compressed, encrypted, and staged for exfiltration. Instead of the operator manually uploading them to Dropbox, however, Crutch v4 now uploads the files automatically using the Windows version of the wget utility.
ESET researchers have attributed Crutch to the Russians peaking APT group Turla. They discovered several strong links between a 2016 version of the Crutch dropper and a Turla tool called Gazer. For instance, both samples were found on the same machine within a 5-day period, PDB paths were almost identical, and they both used the exact same RC4 key to decrypt their payloads.
“Given these elements and that Turla malware families are not known to be shared among different groups, we believe that Crutch is a malware family that is part of the Turla arsenal,” says the ESET release. Crutch was also discovered on the network of the Ministry of Foreign Affairs in an undisclosed European Union country, which also aligns with Turla’s previous strategies targeting gov- ernments, embassies, and military organizations.