Russian state-sponsored threat actor Turla has been observed deploying a new backdoor in recent attacks targeting non-governmental organizations (NGOs) in Poland, Cisco’s Talos security researchers report.
The malware, dubbed TinyTurla-NG, represents an evolution of TinyTurla, a small backdoor the group deploys to ensure access to compromised networks in the event other access mechanisms fail or have been removed.
According to Talos, Turla first deployed TinyTurla-NG in December 2023, against a Polish NGO supporting Ukraine. At least three different backdoor samples were used in the campaign, which was active at the end of January 2024.
For command-and-control (C&C) purposes, the attackers used compromised sites running vulnerable versions of WordPress that allowed them to upload PHP files. They relied on different C&C sites to host PowerShell scripts and commands to be executed on victim machines.
The backdoor’s code is different from its predecessor’s, with features distributed via different threads and Windows events used for synchronization.
TinyTurla-NG accepts command codes for implant administration and file management: sleep time between instruction requests, switching between cmd and PowerShell, retrieving command execution results, fetching and exfiltrating files, and deleting files.
On systems infected with TinyTurla-NG, Talos identified malicious PowerShell scripts – dubbed TurlaPower-NG – designed to harvest specific files for exfiltration. The scripts focus on password databases and password management software.
Talos observed the attackers issuing modular PowerShell commands to perform reconnaissance on the infected systems, to copy files of interest, and finally exfiltrate the selected files to the C&C. The attackers also attempted to exfiltrate credentials.
“The scripts used during enumeration, copying and exfiltration tasks contain hardcoded paths for files and folders of interest to Turla. These locations consisted of files and documents that were used and maintained by Polish NGOs to conduct their day-to-day operations,” Talos explains.
On the compromised WordPress sites used as C&C servers, the attackers deployed a PHP-based script that works both as a handler for the TinyTurla-NG and TurlaPower-NG implants and as a web shell that allows the attackers to execute commands on the compromised domain.
Talos’ analysis of the compromised websites revealed that the attackers deployed scripts allowing remote interaction without having to log into the C&C itself, thus decreasing their fingerprint.
“Operationally, this is a tactic that is beneficial to the threat actors considering that all C&C servers discovered so far are websites compromised by the threat actor instead of being attacker-owned. Therefore, it would be beneficial for Turla’s operators to simply communicate over HTTPS masquerading as legitimate traffic instead of re-exploiting or accessing the servers through other means,” Talos notes.
As part of the observed attack, Turla also deployed a modified version of the GoLang-based open source tunneling tool Chisel, credential harvesting scripts targeting Chrome and Edge, and a tool for executing commands with high privileges, Cisco’s cybersecurity arm also discovered.
Believed to be operating on behalf of the Russian government, Turla has been active since at least 2006 and is also tracked as Krypton, Snake, Venomous Bear, and Waterbug.
Related: Russian Turla Cyberspies Leveraged Other Hackers’ USB-Delivered Malware
Related: New Android Spyware Uses Turla-Linked Infrastructure
Related: Russia-Linked Turla APT Uses New Backdoor in Latest Attacks
