Google's Threat Intelligence Group announced the discovery of the STOCKSTAY backdoor, attributed to the Russian cyber espionage group Turla. This malware has been used to target Ukrainian government and military organizations, showcasing an evolution in Turla's cyber capabilities and tactics since its development traceable to late 2022.
The STOCKSTAY malware was identified by Google's Threat Intelligence Group as a new backdoor linked to the Russian threat actor Turla. This sophisticated tool has been used against various government and military entities within Ukraine and those involved in Italian foreign policy, indicating its broad targeting scope.
STOCKSTAY operates as a multi-component backdoor developed using the .NET framework. Its architecture includes distinct components that communicate via inter-process communication, using the Windows Forms framework and secure WebSocket connections. This design allows for flexible and remote control of compromised systems.
The backdoor's functionality overlaps with earlier implants like Kazuar, emphasizing the ongoing evolution of Turla's cyber tools.
STOCKSTAY is structured around several modules: STOCKSTAY.MARKETMAKER serves as the downloader, while STOCKSTAY.STOCKBROKER manages network communication, and STOCKSTAY.STOCKTRADER is the main backdoor for data exfiltration. Additionally, STOCKSTAY.STOCKMARKET acts as the orchestrator to control these components, determine execution parameters, and handle communications.
The backdoor includes several operational commands enabling the attacker to manipulate files and capture information. Key commands include Del (to delete files), Dir (to enumerate directories), Get (to retrieve specified files), and Image (to take screen captures). These functionalities provide the attackers with significant control over compromised systems.
The emergence of STOCKSTAY highlights the continuing advancements in cyber espionage techniques employed by state-sponsored actors. As the landscape evolves, understanding these tools is crucial for organizations to enhance their cybersecurity measures against potential threats.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
Google's Threat Intelligence Group announced the discovery of the STOCKSTAY backdoor, attributed to the Russian cyber espionage group Turla. This malware has been used to target Ukrainian government and military organizations, showcasing an evolution in Turla's cyber capabilities and tactics since its development traceable to late 2022.