Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Russian Hacking Group Uses Dropbox To Store Malware-Stolen Data

Russian Hacking Group Uses Dropbox To Store Malware-Stolen Data

Russian-backed hacking group Turla has used a previously undocumented malware toolset to deploy backdoors and steal sensitive documents in targeted cyber-espionage campaigns directed at high-profile targets such as the Ministry of Foreign Affairs of a European Union country.

The previously unknown malware framework, named Crutch by its authors, was used in campaigns spanning from 2015 to at least early 2020.

Turla’s Crutch malware was designed to help harvest and exfiltrate sensitive documents and various other files of interest to Dropbox accounts controlled by the Russian hacking group.

“The sophistication of the attacks and technical details of the discovery further strengthen the perception that the Turla group has considerable resources to operate such a large and diverse arsenal,” ESET researcher Matthieu Faou said in a report published today and shared in advance with BleepingComputer.

“Furthermore, Crutch is able to bypass some security layers by abusing legitimate infrastructure — here, Dropbox — in order to blend into normal network traffic while exfiltrating stolen documents and receiving commands from its operators.”

Also Read: How To Secure Your WiFi Camera: 4 Points To Consider

Clear links to other Turla malware

ESET researchers were able to link Crutch to the Russian Turla advanced persistent threat (APT) group based on similarities with the second-stage Gazer (aka WhiteBear) backdoor the threat actors used between 2016 and 2017.

The use of the same RC4 key for decrypting payloads, identical filenames while being dropped on the same compromised machine in September 2017, and almost identical PDB paths are just a few of the strong links between the two observed by ESET.

“Given these elements and that Turla malware families are not known to be shared among different groups, we believe that Crutch is a malware family that is part of the Turla arsenal,” Faou added.

Also, based on the timestamps of over 500 ZIP archives containing stolen documents and uploaded to Turla’s Dropbox accounts between October 2018 and July 2019, the working hours of Crutch’s operators line up with the Russian UTC+3 time zone.

Active hours (ESET)

Dropbox abused as storage for stolen data

Turla delivered Crutch as a second stage backdoor on already compromised machines using first-stage implants like Skipper during 2017, months after the initial compromise in some cases, and the open-source PowerShell Empire post-exploitation framework

Early versions of Crutch (between 2015 to mid-2019) used backdoor channels to communicate with hardcoded Dropbox account via the official HTTP API and drive monitoring tools without network capabilities that searched for and archived interesting documents as encrypted archives.

An updated version (tracked as ‘version 4’ by ESET) added a removable-drive monitor with networking capabilities and removed the backdoor capabilities.

However, it allows for a more hands-off approach since it is capable of “automatically upload the files found on local and removable drives to Dropbox storage by using the Windows version of the Wget utility.”

Crutch malware architecture (ESET)

Both versions use DLL hijacking to gain persistence on compromised devices on Chrome, Firefox, or OneDrive, with Crutch v4 being dropped as “an old Microsoft Outlook component.”

“Crutch shows that the group is not short of new or currently undocumented backdoors,” Faou concluded.

“This discovery further strengthens the perception that the Turla group has considerable resources to operate such a large and diverse arsenal.”

Unorthodox espionage group

In total, throughout their espionage campaigns, Turla has compromised thousands of systems belonging to governments, embassies, as well as education and research facilities from more than 100 countries.

The Russian Turla APT group (also tracked as Waterbug and VENOMOUS BEAR) has been behind information theft and espionage campaigns going as far back as 1996.

Also Read: How Formidable is Singapore Cybersecurity Masterplan 2020?

Turla is the main suspect behind attacks targeting the Pentagon and NASA, the U.S. Central Command, and the Finnish Foreign Ministry.

The hacking group also hacked into the systems of an undisclosed European government entity using a combo of recently updated remote administration trojans (RATs) and remote procedure call (RPC)-based backdoors according to an October report published by Accenture Cyber Threat Intelligence (ACTI).

These nation-state-backed hackers are also known for the unorthodox methods they use during their cyber-espionage campaigns such as creating backdoor trojans with their own APIs, controlling malware using comments on Britney Spears Instagram photos, and even hijacking the infrastructure and malware of Iranian APT OilRig and using them in their own campaigns.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us