The Russian cyber espionage threat group “Turla APT group” was discovered to be using a new backdoor for its malicious operations.
This new backdoor has been termed “TinyTurla-NG” (TTNG), which shares similarities with a previously disclosed implant, TinyTurla, regarding coding style and functionality implementations.
However, this new backdoor has been circulating since December 2023 with targets as Polish non-government organizations that were supporting Ukraine during the Russian invasion. Additionally, this backdoor also uses a PowerShell script for exfiltration purposes.
Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .
According to the reports shared with Cyber Security News, the Turla threat group was widely known to target several entities worldwide with multiple sets of offensive tools.
Their targets included the U.S., the European Union, Ukraine, and Asia. Moreover, this threat actor previously used CAPIBAR and KAZUAR malware families while targeting Ukrainian defense forces.
Nevertheless, researchers have discovered three different TinyTurla-NG samples in which the earliest compromise was found on December 18, 2023, and remained active till Jan 27, 2024. The latest campaign used WordPress-based websites as command and control (C2) endpoints for the TTNG backdoor.
All the attacker-controlled WordPress websites ran with a vulnerable version that allowed the upload of PHP files containing the C2 code. The PHP files had names like rss-old[.]php, rss[.]old[.]php or block[.]old[.]php.
This backdoor is also similar to the previously used TinyTurla backdoor, which runs as a service DLL started via svchost.exe. Apart from the working, this new malware seems to be different and new, with several features distributed through multiple threads.
Initially, the InitCfgSetupCreateEvent function in the malware initializes the config variables followed by two more threads via the CheckOSVersion_StartWorkerThreads function. These functions check the PowerShell and Windows versions, and the C2 is started with a campaign identifier and “Client Ready” message. Once the client is registered with the C2, the TTNG backdoor will ask the C2 for a task to execute.
This task is executed by the second thread, which was started with the CheckOSVersion_Start_WorkerThreads function, which waits until the TTNG backdoor receives the response from the C2.
In addition to this task execution, the backdoor also accepts the following command codes for the C2 as part of the administration of the implant or for file management.
The backdoor uses a PowerShell script consisting of a C2 URL and file paths. The script also specifically excludes files with the extension “.mp4” and focuses on password management software and key materials that are used to secure password databases.
The files are then converted into a ZIP archive and exfiltrated to the C2 server using HTTP/S POST request along with the activity log. The C2 servers were discovered to consist of legitimate vulnerable WordPress-based websites that the Turla threat group compromised.
These C2 servers will contain directories and some files, such as
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
Threat actors are increasingly using email bombing to bypass security protocols and facilitate further malicious…
Semiconductor companies, pivotal in the tech industry for their role in producing components integral to…
Enterprises are facing heightened cyber threats as attackers increasingly target network infrastructure, particularly routers, following…
Threat actors are using open-source software (OSS) repositories to install malicious code into trusted applications,…
The notorious Tycoon 2FA phishing kit continues its evolution with new strategies designed to slip…
INE Security Highlights How Practical, immersive training environments help defense contractors meet DoD cybersecurity requirements…