Wednesday, April 2, 2025
HomeCyber AttackTurla APT’c New Tool Designed to Steal Login Credentials

Turla APT’c New Tool Designed to Steal Login Credentials

Published on

SIEM as a Service

Follow Us on Google News

The Russian cyber espionage threat group “Turla APT group” was discovered to be using a new backdoor for its malicious operations.

This new backdoor has been termed “TinyTurla-NG” (TTNG), which shares similarities with a previously disclosed implant, TinyTurla, regarding coding style and functionality implementations.

However, this new backdoor has been circulating since December 2023 with targets as Polish non-government organizations that were supporting Ukraine during the Russian invasion. Additionally, this backdoor also uses a PowerShell script for exfiltration purposes.

Document
Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks.

Turla APT’c New Tool

According to the reports shared with Cyber Security News, the Turla threat group was widely known to target several entities worldwide with multiple sets of offensive tools.

Their targets included the U.S., the European Union, Ukraine, and Asia. Moreover, this threat actor previously used CAPIBAR and KAZUAR malware families while targeting Ukrainian defense forces.

Nevertheless, researchers have discovered three different TinyTurla-NG samples in which the earliest compromise was found on December 18, 2023, and remained active till Jan 27, 2024. The latest campaign used WordPress-based websites as command and control (C2) endpoints for the TTNG backdoor.

All the attacker-controlled WordPress websites ran with a vulnerable version that allowed the upload of PHP files containing the C2 code. The PHP files had names like rss-old[.]php, rss[.]old[.]php or block[.]old[.]php.

TinyTurla-NG : PowerShell & Command Line

This backdoor is also similar to the previously used TinyTurla backdoor, which runs as a service DLL started via svchost.exe. Apart from the working, this new malware seems to be different and new, with several features distributed through multiple threads. 

Thread initialization (Source: Talos)
Thread initialization (Source: Talos)

Initially, the InitCfgSetupCreateEvent function in the malware initializes the config variables followed by two more threads via the CheckOSVersion_StartWorkerThreads function. These functions check the PowerShell and Windows versions, and the C2 is started with a campaign identifier and “Client Ready” message. Once the client is registered with the C2, the TTNG backdoor will ask the C2 for a task to execute.

This task is executed by the second thread, which was started with the CheckOSVersion_Start_WorkerThreads function, which waits until the TTNG backdoor receives the response from the C2.

In addition to this task execution, the backdoor also accepts the following command codes for the C2 as part of the administration of the implant or for file management.

  • timeout – changes the sleep duration between asking the C2 for new tasks
  • changeshell – switches the current shell (cmd.exe to Powershell.exe)
  • changepoint – tells the implant to switch to the second C2 URL
  • get – fetches a specified file from the C2
  • post – exfiltrates a file from the victim to the C2
  • killme – used to create a BAT file that is further used to delete a file from the disk of the victim machine.

Exfiltration Capabilities & C2

The backdoor uses a PowerShell script consisting of a C2 URL and file paths. The script also specifically excludes files with the extension “.mp4” and focuses on password management software and key materials that are used to secure password databases. 

The files are then converted into a ZIP archive and exfiltrated to the C2 server using HTTP/S POST request along with the activity log. The C2 servers were discovered to consist of legitimate vulnerable WordPress-based websites that the Turla threat group compromised. 

These C2 servers will contain directories and some files, such as 

  • C2 scripts (folder): This directory consists of PHP scripts ending with the extensions – “.old.php” and the URLs of these C2 servers were coded into the TTNG backdoors
  • Logging (folder):  This folder contains three log files
  • _log[.]txt: contains the log of all infected endpoints beaconing into the C2.
  • result[.]txt: contains the log of all messages received from the TTNG backdoor.
  • tasks[.]txt: contains the log of all commands issued to the infected hosts.
Logging folder (Source: Talos)
Logging folder (Source: Talos)
  • Data directories (folder): Stolen data are stored in this directory

Indicators of Compromise

Hashes

  • 267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b
  • d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40

Domains

  • hanagram[.]jp
  • thefinetreats[.]com
  • caduff-sa[.]ch
  • jeepcarlease[.]com
  • buy-new-car[.]com
  • carleasingguru[.]com

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

North Korea IT Workers Expand Their Employment Across Europe To Infiltrate the Company Networks

North Korean IT workers have intensified their global operations, expanding their employment footprint across...

Hackers Hijack Telegram Accounts via Default Voicemail Passwords

The Israeli Internet Association has issued a public warning about a surge in cyberattacks...

Gootloader Malware Spreads via Google Ads with Weaponized Documents

The notorious Gootloader malware has resurfaced with a new campaign that combines old tactics...

Google Introduces End-to-End Encryption for Gmail Business Users

Google has unveiled end-to-end encryption (E2EE) capabilities for Gmail enterprise users, simplifying encrypted email...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

North Korea IT Workers Expand Their Employment Across Europe To Infiltrate the Company Networks

North Korean IT workers have intensified their global operations, expanding their employment footprint across...

Hackers Hijack Telegram Accounts via Default Voicemail Passwords

The Israeli Internet Association has issued a public warning about a surge in cyberattacks...

Gootloader Malware Spreads via Google Ads with Weaponized Documents

The notorious Gootloader malware has resurfaced with a new campaign that combines old tactics...