Tuesday, December 3, 2024
HomeCyber AttackTurla APT’c New Tool Designed to Steal Login Credentials

Turla APT’c New Tool Designed to Steal Login Credentials

Published on

SIEM as a Service

The Russian cyber espionage threat group “Turla APT group” was discovered to be using a new backdoor for its malicious operations.

This new backdoor has been termed “TinyTurla-NG” (TTNG), which shares similarities with a previously disclosed implant, TinyTurla, regarding coding style and functionality implementations.

However, this new backdoor has been circulating since December 2023 with targets as Polish non-government organizations that were supporting Ukraine during the Russian invasion. Additionally, this backdoor also uses a PowerShell script for exfiltration purposes.

- Advertisement - SIEM as a Service
Document
Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks.

Turla APT’c New Tool

According to the reports shared with Cyber Security News, the Turla threat group was widely known to target several entities worldwide with multiple sets of offensive tools.

Their targets included the U.S., the European Union, Ukraine, and Asia. Moreover, this threat actor previously used CAPIBAR and KAZUAR malware families while targeting Ukrainian defense forces.

Nevertheless, researchers have discovered three different TinyTurla-NG samples in which the earliest compromise was found on December 18, 2023, and remained active till Jan 27, 2024. The latest campaign used WordPress-based websites as command and control (C2) endpoints for the TTNG backdoor.

All the attacker-controlled WordPress websites ran with a vulnerable version that allowed the upload of PHP files containing the C2 code. The PHP files had names like rss-old[.]php, rss[.]old[.]php or block[.]old[.]php.

TinyTurla-NG : PowerShell & Command Line

This backdoor is also similar to the previously used TinyTurla backdoor, which runs as a service DLL started via svchost.exe. Apart from the working, this new malware seems to be different and new, with several features distributed through multiple threads. 

Thread initialization (Source: Talos)
Thread initialization (Source: Talos)

Initially, the InitCfgSetupCreateEvent function in the malware initializes the config variables followed by two more threads via the CheckOSVersion_StartWorkerThreads function. These functions check the PowerShell and Windows versions, and the C2 is started with a campaign identifier and “Client Ready” message. Once the client is registered with the C2, the TTNG backdoor will ask the C2 for a task to execute.

This task is executed by the second thread, which was started with the CheckOSVersion_Start_WorkerThreads function, which waits until the TTNG backdoor receives the response from the C2.

In addition to this task execution, the backdoor also accepts the following command codes for the C2 as part of the administration of the implant or for file management.

  • timeout – changes the sleep duration between asking the C2 for new tasks
  • changeshell – switches the current shell (cmd.exe to Powershell.exe)
  • changepoint – tells the implant to switch to the second C2 URL
  • get – fetches a specified file from the C2
  • post – exfiltrates a file from the victim to the C2
  • killme – used to create a BAT file that is further used to delete a file from the disk of the victim machine.

Exfiltration Capabilities & C2

The backdoor uses a PowerShell script consisting of a C2 URL and file paths. The script also specifically excludes files with the extension “.mp4” and focuses on password management software and key materials that are used to secure password databases. 

The files are then converted into a ZIP archive and exfiltrated to the C2 server using HTTP/S POST request along with the activity log. The C2 servers were discovered to consist of legitimate vulnerable WordPress-based websites that the Turla threat group compromised. 

These C2 servers will contain directories and some files, such as 

  • C2 scripts (folder): This directory consists of PHP scripts ending with the extensions – “.old.php” and the URLs of these C2 servers were coded into the TTNG backdoors
  • Logging (folder):  This folder contains three log files
  • _log[.]txt: contains the log of all infected endpoints beaconing into the C2.
  • result[.]txt: contains the log of all messages received from the TTNG backdoor.
  • tasks[.]txt: contains the log of all commands issued to the infected hosts.
Logging folder (Source: Talos)
Logging folder (Source: Talos)
  • Data directories (folder): Stolen data are stored in this directory

Indicators of Compromise

Hashes

  • 267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b
  • d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40

Domains

  • hanagram[.]jp
  • thefinetreats[.]com
  • caduff-sa[.]ch
  • jeepcarlease[.]com
  • buy-new-car[.]com
  • carleasingguru[.]com

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...