Email PDF Attachments to Control Stealthy Backdoor

Turla, a highly sophisticated Russian cyberespionage group, also known as Snake and Uroburos, for the past several years have been using PDFs in emails to control an especially stealthy Microsoft Outlook backdoor. The most recent victims of the backdoor include Germany’s Federal Foreign Office, a significant defense contractor, and the foreign offices of at least two other European countries. In the attack against the Germany’s Federal Foreign Office, Turla dropped the backdoor on several systems and used them to steal data. The latest ESET research offers a rare glimpse into the mechanics of a particularly stealthy and resilient backdoor that the Turla cyberespionage group can fully control via PDFs attached to emails.

Image Source: Turla Outlook backdoor timeline

Timestamps in the malware’s code suggest that Turla developed a basic version of the Outlook backdoor in 2009. The first iteration of the malware could only dump emails. Since then, the group has added new features to make it an extraordinarily stealthy and resilient tool for stealing data from target networks. In 2013 Turla introduced a capability that allowed the backdoor to execute commands sent via email in XML format. In 2006, the group added the ability for the malware to respond to commands sent as email attachments in specially crafted PDF documents. The latest version released in April 2018 incorporates the ability to execute PowerShell scripts directly in computer memory. Most backdoors use HTTP or HTTPS to communicate with their command and control (C2 or CnC) servers, and a few use other protocols such as DNS. Typically, the network traffic associated with these protocols is highly monitored or filtered, especially in big organizations and government entities. The backdoor is a standalone dynamic link library that’s able to install itself and interact with Outlook and other email clients. It pulls out data through an email exchange, which means that it avoids detection by many commonly used data loss prevention products. The data are enclosed in a PDF container, which also looks unproblematic to many solutions.

Outlook backdoor capabilities

It can function independently and does not require a full internet connection and can operate on any computer. It is beneficial in strictly controlled environments. Moreover, even if the attacker’s email address is disabled, they can still regain control of it by sending a command from another address. Thus, this malware is almost resilient. Another significant capability of Outlook backdoor is it uses email messages to communicate with the attackers, instead of relying on the C2 (Command & Control) server.

The below image shows the execution of a Message Box and the launch of a calculator after Outlook received an email containing that PDF document. It demonstrates that this backdoor was apparently designed to receive commands via PDF email attachments.

ImageSource: Execution of the commands specified in the PDF document.

 Turla’s Targets

The Turla group has used the Outlook backdoor in attacks targeting several European government and defense contractors. So far, the group has used the backdoor to target France’s Minister of Foreign Affairs and Europe’s Organization for Security and Cooperation. Most governments have highly restrictive networks. Organizations are at risk of not only being spied on by the Turla group who planted the backdoor, but also by the other attackers. The backdoor executes any commands it receives, without being able to recognize the operator. It’s vital to monitor emails for unusual behavior, such as the forwarding of every email to an external email address.

Organizations should notify their employees about this scam and provide regular Security Awareness training.

Are your employees likely to unknowingly click on a phishing mail? PhishPro will help you to train employees to better manage the urgent IT security problems of phishing and ransomware attacks. Contact us at Also, be sure to visit our website at