The United Kingdom’s National Cyber Security Centre (NCSC) has released an advisory to highlight Neuron and Nautilus tools used alongside Snake—malware that provides a platform to steal sensitive data. NCSC provides enhanced cybersecurity services to protect against cybersecurity threats.

The report provides new intelligence by the NCSC on these two tools used by the Turla group to target the UK. It contains IOCs and signatures for detection by network defenders.

Neuron and Nautilus are malicious tools designed to operate on Microsoft Windows platforms, primarily targeting mail servers and web servers. The NCSC has observed these tools being used by the Turla group to maintain persistent network access and to conduct network operations.

The Turla group use a range of tools and techniques, many of which are custom. Using their advanced toolkit, the Turla group compromise networks for the purposes of intelligence collection. The Turla group is known to target government, military, technology, energy and commercial organizations.

The Turla group has operated on targets using a rootkit known as Snake for many years. Like Neuron and Nautilus, Snake provides a platform to steal sensitive data, acts as a gateway for internal network operations and is used to conduct onward attacks against other organizations.

According to the NCSC, it has observed both Neuron and Nautilus being used in conjunction with the Snake rootkit. In a number of instances, one or both of these tools has been deployed following the successful installation of Snake. The NCSC believes that Neuron and Nautilus are another component of the wider Turla campaign and are not acting as replacements for the Snake rootkit.

The Turla group are experienced in maintaining covert access through incident response activities. They infect multiple systems within target networks and deploy a diverse range of tools to ensure that they retain a foothold back onto a victim even after the initial infection vector has been mitigated.

The advisory by the NCSC provides information to detect Neuron and Nautilus infections. The NCSC encourages any organization that has previously experienced a compromise by the Turla group to be diligent in checking for the presence of these additional tools. Whilst they are commonly deployed alongside the Snake rootkit, these tools can also be operated independently.