Turla APT’c New Tool Designed to Steal Login Credentials

The Russian cyber espionage threat group “Turla APT group” was discovered to be using a new backdoor for its malicious operations.

This new backdoor has been termed “TinyTurla-NG” (TTNG), which shares similarities with a previously disclosed implant, TinyTurla, regarding coding style and functionality implementations.

However, this new backdoor has been circulating since December 2023 with targets as Polish non-government organizations that were supporting Ukraine during the Russian invasion. Additionally, this backdoor also uses a PowerShell script for exfiltration purposes.

Turla APT’c New Tool

According to the reports shared with Cyber Security News, the Turla threat group was widely known to target several entities worldwide with multiple sets of offensive tools.

Their targets included the U.S., the European Union, Ukraine, and Asia. Moreover, this threat actor previously used CAPIBAR and KAZUAR malware families while targeting Ukrainian defense forces.

Nevertheless, researchers have discovered three different TinyTurla-NG samples in which the earliest compromise was found on December 18, 2023, and remained active till Jan 27, 2024. The latest campaign used WordPress-based websites as command and control (C2) endpoints for the TTNG backdoor.

All the attacker-controlled WordPress websites ran with a vulnerable version that allowed the upload of PHP files containing the C2 code. The PHP files had names like rss-old[.]php, rss[.]old[.]php or block[.]old[.]php.

TinyTurla-NG : PowerShell & Command Line

This backdoor is also similar to the previously used TinyTurla backdoor, which runs as a service DLL started via svchost.exe. Apart from the working, this new malware seems to be different and new, with several features distributed through multiple threads. 

Initially, the InitCfgSetupCreateEvent function in the malware initializes the config variables followed by two more threads via the CheckOSVersion_StartWorkerThreads function. These functions check the PowerShell and Windows versions, and the C2 is started with a campaign identifier and “Client Ready” message. Once the client is registered with the C2, the TTNG backdoor will ask the C2 for a task to execute.

This task is executed by the second thread, which was started with the CheckOSVersion_Start_WorkerThreads function, which waits until the TTNG backdoor receives the response from the C2.

In addition to this task execution, the backdoor also accepts the following command codes for the C2 as part of the administration of the implant or for file management.

• timeout – changes the sleep duration between asking the C2 for new tasks
• changeshell – switches the current shell (cmd.exe to Powershell.exe)
• changepoint – tells the implant to switch to the second C2 URL
• get – fetches a specified file from the C2
• post – exfiltrates a file from the victim to the C2
• killme – used to create a BAT file that is further used to delete a file from the disk of the victim machine.

Exfiltration Capabilities & C2

The backdoor uses a PowerShell script consisting of a C2 URL and file paths. The script also specifically excludes files with the extension “.mp4” and focuses on password management software and key materials that are used to secure password databases. 

The files are then converted into a ZIP archive and exfiltrated to the C2 server using HTTP/S POST request along with the activity log. The C2 servers were discovered to consist of legitimate vulnerable WordPress-based websites that the Turla threat group compromised. 

These C2 servers will contain directories and some files, such as 

• C2 scripts (folder): This directory consists of PHP scripts ending with the extensions – “.old.php” and the URLs of these C2 servers were coded into the TTNG backdoors
• Logging (folder):  This folder contains three log files
• _log[.]txt: contains the log of all infected endpoints beaconing into the C2.
• result[.]txt: contains the log of all messages received from the TTNG backdoor.
• tasks[.]txt: contains the log of all commands issued to the infected hosts.

• Data directories (folder): Stolen data are stored in this directory

Indicators of Compromise

Hashes

• 267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b
• d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40

Domains

• hanagram[.]jp
• thefinetreats[.]com
• caduff-sa[.]ch
• jeepcarlease[.]com
• buy-new-car[.]com
• carleasingguru[.]com

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.