The Russian-speaking Turla advanced persistent threat group, among whose many victims include the US Department of State, appears to have developed a dangerous new tactic for installing its data-stealing malware on targeted systems.
Security vendor ESET says it has recently observed Turla packaging one of its backdoors with a real Adobe Flash installer and downloading the malware on victim systems from legitimate Adobe URLs and IP addresses.
To targeted endpoint systems, the remote IP address from which the malware is being downloaded belongs to Akamai, the Content Delivery Network that Adobe officially uses to distribute its Flash installer, ESET said in a technical whitepaper Tuesday. That makes it much harder to spot the subterfuge,
Turla has been then getting