Market Sectors

block 10


Turla group using Neuron and Nautilus tools alongside Snake malware

Neuron and Nautilus are malicious tools designed to operate on Microsoft Windows platforms, primarily targeting mail servers and web servers. The NCSC has observed these tools being used by the Turla group to maintain persistent network access and to conduct network operations.

The Turla group use a range of tools and techniques, many of which are custom. Using their advanced toolkit, the Turla group compromise networks for the purposes of intelligence collection. The Turla group is known to target government, military, technology, energy and commercial organisations.

The Turla group has operated on targets using a rootkit known as Snake for many years. Like Neuron and Nautilus, Snake provides a platform to steal sensitive data, acts as a gateway for internal network operations and is used to conduct onward attacks against other organisations.

The Turla group are experienced in maintaining covert access through incident response activities. They infect multiple systems within target networks and deploy a diverse range of tools to ensure that they retain a foothold back onto a victim even after the initial infection vector has been mitigated.

The NCSC has observed both Neuron and Nautilus being used in conjunction with the Snake rootkit. In a number of instances, one or both of these tools has been deployed following the successful installation of Snake. The NCSC believes that Neuron and Nautilus are another component of the wider Turla campaign and are not acting as replacements for the Snake rootkit. It is likely that these tools have seen wider deployment since the Snake rootkit has been reported on by the information security industry, providing the group with additional methods of access.

This advisory provides information to detect Neuron and Nautilus infections. The NCSC encourages any organisation that has previously experienced a compromise by the Turla group to be diligent in checking for the presence of these additional tools. Whilst they are commonly deployed alongside the Snake rootkit, these tools can also be operated independently.


To read the full report Click Here



Recent Videos

IntraLogic's official release of the "One Button" Lockdown system on CBS 2 News.
HID Global is opening the door to a new era of security and convenience.  Powered by Seos technology, the HID Mobile Access solution delivers a more secure and convenient way to open doors and gates, access networks and services, and make cashless payments using phones and other mobile devices. ...
Mobile device forensics can make a difference in many investigations, but you need training that teaches you how to get the most out of your mobile forensics hardware and software, and certifies you to testify in court. Read this white paper to learn how to evaluate mobile forensics training...
PureTech Systems is a software company that develops and markets PureActiv, its geospatial analytics solution designed to protect critical perimeters and infrastructure.  Its patented video analytics leverage thermal cameras, radars and other perimeter sensors to detect, geo-locate, classify, and...