Turla APT, the Russian state-sponsored hacker group, has been found using a new malware named TinyTurla.

What has happened?

According to Cisco Talos, TinyTurla is a hitherto unidentified backdoor from the Turla APT group, which has been in use since at least 2020.
  • This malware got the attention of researchers when it targeted Afghanistan before the Taliban's recent takeover of the government.
  • Now, it was found to be used in recent attacks against countries including the U.S. and Germany.
  • The malware is most likely used as a second-stage dropper to infect the system with additional malware, opined experts.

Additional insights

The attackers used the TinyTurla backdoor as a backup to maintain access to the system if the primary access is somehow removed. It performs tasks such as uploading, downloading, and executing files.
  • During the campaigns, the attackers reused infected servers for their operations, which are usually assessed using SSH (often protected by Tor).
  • It is still not known how TinyTurla was dropped on victim systems, although the attackers used a BAT file to install the backdoor. It comes disguised as a DLL file impersonating a valid Windows Time Service.
  • The malware contacts the C2 server every five seconds. It creates unusual network traffic that could be easily detected as suspicious.

Conclusion

The Turla APT group managed to hide their new backdoor for around two years without being detected. It displays that threat actors have improved in evading conventional modes of detection by hiding under the guise of legit services. Therefore, organizations are recommended to have automated security solutions to detect and prevent such malicious services.

Cyware Publisher

Publisher

Cyware