Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Russian Turla Cyberspies Target Polish NGOs With New Backdoor

Russian state-sponsored threat actor Turla has been using a new backdoor in recent attacks targeting Polish NGOs.

Russian state-sponsored threat actor Turla has been observed deploying a new backdoor in recent attacks targeting non-governmental organizations (NGOs) in Poland, Cisco’s Talos security researchers report.

The malware, dubbed TinyTurla-NG, represents an evolution of TinyTurla, a small backdoor the group deploys to ensure access to compromised networks in the event other access mechanisms fail or have been removed.

According to Talos, Turla first deployed TinyTurla-NG in December 2023, against a Polish NGO supporting Ukraine. At least three different backdoor samples were used in the campaign, which was active at the end of January 2024.

For command-and-control (C&C) purposes, the attackers used compromised sites running vulnerable versions of WordPress that allowed them to upload PHP files. They relied on different C&C sites to host PowerShell scripts and commands to be executed on victim machines.

The backdoor’s code is different from its predecessor’s, with features distributed via different threads and Windows events used for synchronization.

TinyTurla-NG accepts command codes for implant administration and file management: sleep time between instruction requests, switching between cmd and PowerShell, retrieving command execution results, fetching and exfiltrating files, and deleting files.

On systems infected with TinyTurla-NG, Talos identified malicious PowerShell scripts – dubbed TurlaPower-NG – designed to harvest specific files for exfiltration. The scripts focus on password databases and password management software.

Talos observed the attackers issuing modular PowerShell commands to perform reconnaissance on the infected systems, to copy files of interest, and finally exfiltrate the selected files to the C&C. The attackers also attempted to exfiltrate credentials.

Advertisement. Scroll to continue reading.

“The scripts used during enumeration, copying and exfiltration tasks contain hardcoded paths for files and folders of interest to Turla. These locations consisted of files and documents that were used and maintained by Polish NGOs to conduct their day-to-day operations,” Talos explains.

On the compromised WordPress sites used as C&C servers, the attackers deployed a PHP-based script that works both as a handler for the TinyTurla-NG and TurlaPower-NG implants and as a web shell that allows the attackers to execute commands on the compromised domain.

Talos’ analysis of the compromised websites revealed that the attackers deployed scripts allowing remote interaction without having to log into the C&C itself, thus decreasing their fingerprint.

“Operationally, this is a tactic that is beneficial to the threat actors considering that all C&C servers discovered so far are websites compromised by the threat actor instead of being attacker-owned. Therefore, it would be beneficial for Turla’s operators to simply communicate over HTTPS masquerading as legitimate traffic instead of re-exploiting or accessing the servers through other means,” Talos notes.

As part of the observed attack, Turla also deployed a modified version of the GoLang-based open source tunneling tool Chisel, credential harvesting scripts targeting Chrome and Edge, and a tool for executing commands with high privileges, Cisco’s cybersecurity arm also discovered.

Believed to be operating on behalf of the Russian government, Turla has been active since at least 2006 and is also tracked as Krypton, Snake, Venomous Bear, and Waterbug.

Related: Russian Turla Cyberspies Leveraged Other Hackers’ USB-Delivered Malware

Related: New Android Spyware Uses Turla-Linked Infrastructure

Related: Russia-Linked Turla APT Uses New Backdoor in Latest Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.