Saturday, May 25, 2024

Turla APT’c New Tool Designed to Steal Login Credentials

The Russian cyber espionage threat group “Turla APT group” was discovered to be using a new backdoor for its malicious operations.

This new backdoor has been termed “TinyTurla-NG” (TTNG), which shares similarities with a previously disclosed implant, TinyTurla, regarding coding style and functionality implementations.

However, this new backdoor has been circulating since December 2023 with targets as Polish non-government organizations that were supporting Ukraine during the Russian invasion. Additionally, this backdoor also uses a PowerShell script for exfiltration purposes.

Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks.

Turla APT’c New Tool

According to the reports shared with Cyber Security News, the Turla threat group was widely known to target several entities worldwide with multiple sets of offensive tools.

Their targets included the U.S., the European Union, Ukraine, and Asia. Moreover, this threat actor previously used CAPIBAR and KAZUAR malware families while targeting Ukrainian defense forces.

Nevertheless, researchers have discovered three different TinyTurla-NG samples in which the earliest compromise was found on December 18, 2023, and remained active till Jan 27, 2024. The latest campaign used WordPress-based websites as command and control (C2) endpoints for the TTNG backdoor.

All the attacker-controlled WordPress websites ran with a vulnerable version that allowed the upload of PHP files containing the C2 code. The PHP files had names like rss-old[.]php, rss[.]old[.]php or block[.]old[.]php.

TinyTurla-NG : PowerShell & Command Line

This backdoor is also similar to the previously used TinyTurla backdoor, which runs as a service DLL started via svchost.exe. Apart from the working, this new malware seems to be different and new, with several features distributed through multiple threads. 

Thread initialization (Source: Talos)
Thread initialization (Source: Talos)

Initially, the InitCfgSetupCreateEvent function in the malware initializes the config variables followed by two more threads via the CheckOSVersion_StartWorkerThreads function. These functions check the PowerShell and Windows versions, and the C2 is started with a campaign identifier and “Client Ready” message. Once the client is registered with the C2, the TTNG backdoor will ask the C2 for a task to execute.

This task is executed by the second thread, which was started with the CheckOSVersion_Start_WorkerThreads function, which waits until the TTNG backdoor receives the response from the C2.

In addition to this task execution, the backdoor also accepts the following command codes for the C2 as part of the administration of the implant or for file management.

  • timeout – changes the sleep duration between asking the C2 for new tasks
  • changeshell – switches the current shell (cmd.exe to Powershell.exe)
  • changepoint – tells the implant to switch to the second C2 URL
  • get – fetches a specified file from the C2
  • post – exfiltrates a file from the victim to the C2
  • killme – used to create a BAT file that is further used to delete a file from the disk of the victim machine.

Exfiltration Capabilities & C2

The backdoor uses a PowerShell script consisting of a C2 URL and file paths. The script also specifically excludes files with the extension “.mp4” and focuses on password management software and key materials that are used to secure password databases. 

The files are then converted into a ZIP archive and exfiltrated to the C2 server using HTTP/S POST request along with the activity log. The C2 servers were discovered to consist of legitimate vulnerable WordPress-based websites that the Turla threat group compromised. 

These C2 servers will contain directories and some files, such as 

  • C2 scripts (folder): This directory consists of PHP scripts ending with the extensions – “.old.php” and the URLs of these C2 servers were coded into the TTNG backdoors
  • Logging (folder):  This folder contains three log files
  • _log[.]txt: contains the log of all infected endpoints beaconing into the C2.
  • result[.]txt: contains the log of all messages received from the TTNG backdoor.
  • tasks[.]txt: contains the log of all commands issued to the infected hosts.
Logging folder (Source: Talos)
Logging folder (Source: Talos)
  • Data directories (folder): Stolen data are stored in this directory

Indicators of Compromise


  • 267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b
  • d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40


  • hanagram[.]jp
  • thefinetreats[.]com
  • caduff-sa[.]ch
  • jeepcarlease[.]com
  • buy-new-car[.]com
  • carleasingguru[.]com

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles