TinyTurla-NG Backdoor

The Turla threat actor, believed to be backed by Russia, has been observed employing a new backdoor named TinyTurla-NG in a campaign spanning three months. The attack operation specifically targeted non-governmental organizations in Poland toward the end of 2023. Similar to its predecessor, TinyTurla, TinyTurla-NG functions as a compact 'last resort' backdoor. It is strategically deployed to remain dormant until all other unauthorized access or backdoor mechanisms on the compromised systems have either failed or been discovered.

Named for its resemblance to TinyTurla, TinyTurla-NG is another implant utilized by the adversarial collective in intrusions targeting the U.S., Germany, and Afghanistan since at least 2020. The cybersecurity company initially documented TinyTurla in September 2021.

The Turla APT Group Has Been Compormising Targets Aligned with Russia’s Interests

The threat actors known as Turla are also tracked by cybersecurity specialists under various other aliases, including Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, Uroburos and Venomous Bear. This hacker group is affiliated with the Russian state and linked to its Federal Security Service (FSB).

In recent months, Turla has specifically targeted the defense sector in Ukraine and Eastern Europe, employing a new .NET-based backdoor named DeliveryCheck. Simultaneously, the threat actor has upgraded its longstanding second-stage implant, Kazuar, which has been in use since at least 2017.

The most recent campaign featuring TinyTurla-NG traces back to the end of 2023 and reportedly continued until January 27, 2024. However, there are suspicions that the malicious activity might have commenced as early as November 2023 based on the compilation dates of the associated malware.

An Overview of the TinyTurla-NG Attack Campaign

Findings regarding the attack operation involving the TinyTurla-NG malware have revealed a deliberate targeting of Polish non-governmental organizations (NGOs), with at least one of them providing support to Ukraine. Although NGOs maintain a stance of non-involvement in conflicts, they often play a vital role in providing assistance to those affected by them. This makes them potential targets for aggressor factions seeking to monitor aid flows, both existing and potential, to the victims of conflicts.

Turla has gained notoriety for its global targeting strategy, deploying an extensive array of offensive tools across regions like the U.S., European Union, Ukraine, and Asia. Previous operations have seen the utilization of malware strains such as Capibar and Kazuar, particularly in targeting Ukrainian defense forces. With the introduction of TinyTurla-NG and TurlaPower-NG malware families following Crutch and TinyTurla, Turla has broadened its toolkit while simultaneously expanding its scope to include NGOs. This shift indicates a concerted effort by the adversary to diversify both their malware capabilities and the range of targets in alignment with Russia's strategic and political objectives.

In this particular campaign, Turla leverages compromised WordPress-based websites as Command-and-Control (C2) endpoints for the TinyTurla-NG backdoor. The operators exploit vulnerabilities in various WordPress versions (including 4.4.20, 5.0.21, 5.1.18, and 5.7.2), enabling the uploading of PHP files containing the C2 code, identified by names like rss-old.php, rss.old.php, or block.old.php.

TinyTurla-NG Is Used for the Delivery of Infostealer Malware

The distribution method of the TinyTurla-NG backdoor remains unknown at present. However, it has been observed utilizing compromised WordPress-based websites as C2. These websites serve to retrieve and execute instructions, allowing TinyTurla-NG to execute commands through PowerShell or Command Prompt (cmd.exe) and facilitate file download/upload activities.

Additionally, TinyTurla-NG serves as a conduit for delivering TurlaPower-NG, which consists of PowerShell scripts designed to exfiltrate crucial information used to secure password databases of popular password management software. The exfiltrated data is typically packaged into a ZIP archive.

This campaign exhibits a high level of targeting, focusing on a select number of organizations, with confirmation currently limited to those based in Poland. The campaign is characterized by strong compartmentalization, where a few compromised websites serving as C2s interact with only a limited number of samples. This structure makes it challenging to pivot from one sample/C2 to others within the same infrastructure.

TinyTurla-NG Can Run Arbitrary Commands on Infected Devices

Throughout the attack campaign, various C2 servers were employed to host PowerShell scripts and arbitrary commands, facilitating their execution on the victim's system. Similar to TinyTurla, the malware operates as a service Dynamic Link Library (DLL), initiated through svchost.exe. Notably, the malware's codebase is novel and distinct. Diverse features of the malware are dispersed across different threads, with Windows events utilized for synchronization. The primary malware thread is initiated within the ServiceMain function of the DLL.

Following an assessment of PowerShell and Windows versions, a dedicated thread initiates communication with the C2 by transmitting a campaign identifier ('id') along with the message 'Client Ready,' signifying a successful infection registration.

Upon successful registration, the TinyTurla-NG backdoor queries the C2 for tasks to execute (via the gettask_loop function). Subsequently, a secondary thread, initiated by the CheckOSVersion_Start_WorkerThreads function, executes the task commands relayed by the C2. Synchronization between these threads is orchestrated through the aforementioned Windows event. Upon task reception from the C2, the first thread triggers the event (within the thread1_function).

Tasks are executed either through PowerShell or command shell (cmd.exe), determined by the PowerShell version on the victim's system.

In addition to executing task content directly received from the C2 (e.g., C:\windows\system32\malware.exe), the backdoor acknowledges specific command codes from the C2 designed for implant administration or file management:

Timeout: Alters the duration, in minutes, for which the backdoor waits between requesting new tasks from the C2. The new timeout period is determined by the parameter sent by the C2.

Changeshell: Instructs the backdoor to switch between command shells, transitioning from cmd.exe to PowerShell.exe or vice versa.

Changepoint: Facilitates retrieval of command execution results from the infected endpoint, along with logging messages collected for administrative commands executed since the last 'changepoint' issuance.

Get: Retrieves a specified file from the C2 via an HTTP GET request, saving it to the designated location on disk.

Post: Exfiltrates a file from the victim's system to the C2.

Killme: Generates a BAT file named based on the current tick count, utilized to delete a file from the victim's disk via cmd.exe /c .bat execution.

It should be noted that the killme command generates a batch file designed to delete a Registry key in HKCU\SW\classes\CLSID and restart 'explorer.exe,' hinting at an effort to establish persistence through COM hijacking—a tactic previously employed by Turla for malware persistence.

The Deployed TinyPower-NG Can Harvest Sensitive Account Credentials

During the investigation into Turla's attack operation, researchers uncovered corrupted PowerShell scripts dubbed 'TurlaPower-NG,' deployed to compromised endpoints through the TinyTurla-NG backdoor. These scripts are configured with the C2 URL and specific target file paths. When executed, each specified file path triggers a recursive scan, adding discovered files to an on-disk archive. Notably, TurlaPower-NG deliberately omits files with the '.mp4' extension from inclusion in the archive. The attackers displayed a keen interest in acquiring key materials crucial for securing password databases and widely used password management software.

The created archive, utilizing the '.zip' extension, dynamically generates its name by creating a new GUID. This unique identifier serves as the archive's name. Subsequently, the archive file is transmitted to the C2 via HTTP/S POST requests, accompanied by a detailed activity log sent concurrently. The log is comprised of:

• The name of the archive file (or its fragment) is posted to the C2.
•  The count of files contained within the archive, along with its size.

Backdoors Allow Threat Actors to Perform Various Threatening Activities

Devices infected with backdoor malware threats pose significant dangers, including:

• Unauthorized Access: Backdoors provide a stealthy entry point for cybercriminals to enter a device. Once infected, attackers can gain unauthorized access, compromising sensitive data, personal information, or intellectual property.
•   Data Theft and Espionage: Backdoors can be exploited to exfiltrate confidential information, such as financial records, personal details, or business strategies. This collected data may be used for identity theft, corporate espionage, or sold on the Dark Web.
•   Persistent Control: Backdoors often enable persistent control over a compromised device. Attackers can remotely manipulate the device, execute unsafe commands, and maintain access without the user's knowledge for extended periods.
•   Propagation and Lateral Movement: Backdoors may facilitate the spread of malware within a network by allowing attackers to move laterally from one device to another. This can lead to widespread infections, making it challenging for organizations to contain and eradicate the threat.
•   Ransomware Deployment: Backdoors can serve as an entry point for deploying ransomware encrypting files on the infected device or network. The criminals then demand a ransom for the decryption key, disrupting normal operations and causing financial losses.
•   Compromised System Integrity: Backdoors may compromise the integrity of a system by modifying or disabling security features. This could lead to a range of issues, including the inability to detect or remove the malware, leaving the device vulnerable to further exploitation.
•   Supply Chain Attacks: Backdoors can be injected into software or firmware during the supply chain process. Devices with pre-installed backdoors can be distributed to unsuspecting users, posing a significant threat to individuals, businesses, and even critical infrastructure.

To mitigate these dangers, it is fundamental for individuals and organizations to set up robust cybersecurity measures, including regular software updates, anti-malware solutions, network monitoring, and user education on recognizing and avoiding potential threats.