Russian based hacking group named Turla used malware, a downloader, and a backdoor in a waterhole operation. This Russian based hacking group have compromised at least four websites of which two were Armenian government.
Waterhole attack is a strategic attack in which attacker infects the website which is often visited by the victim or particular targetted groups.
The strategy behind the attack
The tools used by hackers were a .NET malware dropper named NetFlash and a backdoor scripted in python named as PyFlash. The attackers had made a fake Adobe Flash update to the victims.
Tools used in Turla Malware
NetFlash (.NET downloader)
The NET application drops and Adobe Flash v32, and NetFlash (a .NET downloader) after that the next stage for the attack begins and NetFlash starts second stage malware from a hardcoded URL to remain its persistency.
A py2exe backdoor is executed and converts it into a Python script Windows executable. The backdoor communication was done with C&C server via HTTP request and whole communication was encrypted with an AES key and this sends various information related to the system like IP, mac address, system-info, task list etc..
Samples and other information related to C&C server has been mentioned by We Live Security