Wednesday, April 30, 2025
HomeCyber AttackTurla APT’c New Tool Designed to Steal Login Credentials

Turla APT’c New Tool Designed to Steal Login Credentials

Published on

SIEM as a Service

Follow Us on Google News

The Russian cyber espionage threat group “Turla APT group” was discovered to be using a new backdoor for its malicious operations.

This new backdoor has been termed “TinyTurla-NG” (TTNG), which shares similarities with a previously disclosed implant, TinyTurla, regarding coding style and functionality implementations.

However, this new backdoor has been circulating since December 2023 with targets as Polish non-government organizations that were supporting Ukraine during the Russian invasion. Additionally, this backdoor also uses a PowerShell script for exfiltration purposes.

- Advertisement - Google News
Document
Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .

Turla APT’c New Tool

According to the reports shared with Cyber Security News, the Turla threat group was widely known to target several entities worldwide with multiple sets of offensive tools.

Their targets included the U.S., the European Union, Ukraine, and Asia. Moreover, this threat actor previously used CAPIBAR and KAZUAR malware families while targeting Ukrainian defense forces.

Nevertheless, researchers have discovered three different TinyTurla-NG samples in which the earliest compromise was found on December 18, 2023, and remained active till Jan 27, 2024. The latest campaign used WordPress-based websites as command and control (C2) endpoints for the TTNG backdoor.

All the attacker-controlled WordPress websites ran with a vulnerable version that allowed the upload of PHP files containing the C2 code. The PHP files had names like rss-old[.]php, rss[.]old[.]php or block[.]old[.]php.

TinyTurla-NG : PowerShell & Command Line

This backdoor is also similar to the previously used TinyTurla backdoor, which runs as a service DLL started via svchost.exe. Apart from the working, this new malware seems to be different and new, with several features distributed through multiple threads. 

Thread initialization (Source: Talos)
Thread initialization (Source: Talos)

Initially, the InitCfgSetupCreateEvent function in the malware initializes the config variables followed by two more threads via the CheckOSVersion_StartWorkerThreads function. These functions check the PowerShell and Windows versions, and the C2 is started with a campaign identifier and “Client Ready” message. Once the client is registered with the C2, the TTNG backdoor will ask the C2 for a task to execute.

This task is executed by the second thread, which was started with the CheckOSVersion_Start_WorkerThreads function, which waits until the TTNG backdoor receives the response from the C2.

In addition to this task execution, the backdoor also accepts the following command codes for the C2 as part of the administration of the implant or for file management.

  • timeout – changes the sleep duration between asking the C2 for new tasks
  • changeshell – switches the current shell (cmd.exe to Powershell.exe)
  • changepoint – tells the implant to switch to the second C2 URL
  • get – fetches a specified file from the C2
  • post – exfiltrates a file from the victim to the C2
  • killme – used to create a BAT file that is further used to delete a file from the disk of the victim machine.

Exfiltration Capabilities & C2

The backdoor uses a PowerShell script consisting of a C2 URL and file paths. The script also specifically excludes files with the extension “.mp4” and focuses on password management software and key materials that are used to secure password databases. 

The files are then converted into a ZIP archive and exfiltrated to the C2 server using HTTP/S POST request along with the activity log. The C2 servers were discovered to consist of legitimate vulnerable WordPress-based websites that the Turla threat group compromised. 

These C2 servers will contain directories and some files, such as 

  • C2 scripts (folder): This directory consists of PHP scripts ending with the extensions – “.old.php” and the URLs of these C2 servers were coded into the TTNG backdoors
  • Logging (folder):  This folder contains three log files
  • _log[.]txt: contains the log of all infected endpoints beaconing into the C2.
  • result[.]txt: contains the log of all messages received from the TTNG backdoor.
  • tasks[.]txt: contains the log of all commands issued to the infected hosts.
Logging folder (Source: Talos)
Logging folder (Source: Talos)
  • Data directories (folder): Stolen data are stored in this directory

Indicators of Compromise

Hashes

  • 267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b
  • d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40

Domains

  • hanagram[.]jp
  • thefinetreats[.]com
  • caduff-sa[.]ch
  • jeepcarlease[.]com
  • buy-new-car[.]com
  • carleasingguru[.]com

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Wormable AirPlay Zero-Click RCE Flaw Allows Remote Device Hijack via Wi-Fi

A major set of vulnerabilities-collectively named “AirBorne”-in Apple’s AirPlay protocol and SDK have been...

Chrome 136 Fixes 20-Year-Old Privacy Bug in Latest Update

Google has begun rolling out Chrome 136 to the stable channel for Windows, Mac,...

Researchers Uncover SuperShell Payloads and Various Tools in Hacker’s Open Directories

Cybersecurity researchers at Hunt have uncovered a server hosting advanced malicious tools, including SuperShell...

Cyber Espionage Campaign Targets Uyghur Exiles with Trojanized Language Software

A sophisticated cyberattack targeted senior members of the World Uyghur Congress (WUC), the largest...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Wormable AirPlay Zero-Click RCE Flaw Allows Remote Device Hijack via Wi-Fi

A major set of vulnerabilities-collectively named “AirBorne”-in Apple’s AirPlay protocol and SDK have been...

Chrome 136 Fixes 20-Year-Old Privacy Bug in Latest Update

Google has begun rolling out Chrome 136 to the stable channel for Windows, Mac,...

Researchers Uncover SuperShell Payloads and Various Tools in Hacker’s Open Directories

Cybersecurity researchers at Hunt have uncovered a server hosting advanced malicious tools, including SuperShell...