Cisco Talos researchers reported that the Russia-linked Turla APT group recently used a new backdoor, dubbed TinyTurla, in a series of attacks against the US, Germany, and Afghanistan. The threat actors are using the backdoorsince at least 2020.
The attacks against entities in Afghanistan took place prior to the Taliban’s recent takeover of the government in the country and the withdrawal of all military forces of the United States and its allies. Threat actors targeted the previous Afghan government, Talos speculates.
The previously undetected backdoor is likely used by the nation-state actor as a second-chance backdoor in case if the primary Turla malware is removed. The backdoor allows attacker to maintain access to the infected system and could also be used as a second-stage dropper to deliver additional payloads.
“The adversaries installed the backdoor as a service on the infected machine. They attempted to operate under the radar by naming the service “Windows Time Service”, like the existing Windows service. The backdoor can upload and execute files or exfiltrate files from the infected system. In our review of this malware, the backdoor contacted the command and control (C2) server via an HTTPS encrypted channel every five seconds to check if there were new commands from the operator.” reads the analysis published by Talos researchers.
The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2004 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.
The list of previously known victims is long and also includes the Pentagon, the Swiss defense firm RUAG, US Department of State, European government entities and the US Central Command.
The researchers have yet to discover how the TinyTurla backdoor was installed on the victim system. Threat actors used a .bat file to deliver the backdoor that comes in the form of a service DLL called w64time.dll.
TinyTurla implements multiple capabilities such as uploading and executing files and payloads, creating subprocesses, and exfiltrating data.
“Talos has monitored many noisy Turla operations, for example. During their campaigns, they are often using and re-using compromised servers for their operations, which they access via SSH, often protected by TOR. One public reason why we attributed this backdoor to Turla is the fact that they used the same infrastructure as they used for other attacks that have been clearly attributed to their Penguin Turla Infrastructure.” concludes Talos.
(SecurityAffairs – hacking, Turla)