Pierluigi Paganini February 16, 2024

Russia-linked APT group Turla has been spotted targeting Polish non-governmental organizations (NGO) with a new backdoor dubbed TinyTurla-NG.

Russia-linked cyberespionage group Turla has been spotted using a new backdoor dubbed TinyTurla-NG in attacks aimed at Polish non-governmental organizations.

The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2004 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

Cisco Talos researchers reported that “TinyTurla-NG” (TTNG) is similar to Turla’s implant TinyTurla.

TinyTurla-NG was spotted in early December 2023, it was employed in attacks targeting NGOs working on improving Polish democracy and supporting Ukraine during the Russian invasion.

“Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems.” reads the report published by Cisco Talos.

Talos also discovered previously undetected PowerShell dubbed “TurlaPower-NG ” that was designed for data exfiltration. Turla operators used the scripts to exfiltrate keys used to secure the password databases of popular password management software.

The cybersecurity firm identified three different TinyTurla-NG samples, and gained access to two of them. This latest campaign began at least on December 18, 2023, and was still active as recently as January 27, 2024. Evidence gathered by the experts suggests that that campaign may have begun as early as November 2023. 

Turla operators used compromised WordPress websites as C2 for the TinyTurla-NG backdoor. Threat actors compromised the websites running vulnerable versions of the popular CMS, including 4.4.20, 5.0.21, 5.1.18 and 5.7.2. The attackers uploaded PHP files containing the C2 code consisting of names such as: rss-old[.]php, rss[.]old[.]php or block[.]old[.]php.

Since the beginning of the campaign, the attackers used various C2 servers to host PowerShell scripts and arbitrary commands that could be executed on the victim’s machine.

Like TinyTurla, TinyTurla-NG operates as a service DLL initiated through svchost.exe. The malware uses Windows events for synchronization, with the first primary malware thread initiated in the DLL’s ServiceMain function.

The malware supports the following commands:

• “changeshell”: This command will instruct the backdoor to switch the current shell being used to execute commands, i.e., from cmd.exe to PowerShell.exe, or vice versa.
• “changepoint”: This command is used to likely tell the implant to switch to the second C2 URL present in the implant.
• “get”: Fetch a file specified by the C2 using an HTTP GET request and write it to the specified location on disk.
• “post”: Exfiltrate a file from the victim to the C2, e.g., post C:\some_file.bin.
• “killme”: Create a BAT file (see below) with a name based on the current tick count. Then, use the BAT file to delete a file from the disk of the victim machine, e.g., killme <filename>. The BAT file is executed via cmd.exe /c <BAT-file-name>.bat. 

The report includes indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Turla)