TinyFluff Backdoor

The cybercriminal organization tracked by infosec researchers as OldGremlin is back on the move. This particular threat actor prefers to lay low and execute only a couple of threatening campaigns before once again going into dormancy. Still, the group is extremely sophisticated and its attacks are carefully planned, executed and closed. Among the distinguishing characteristics of OldGremlin are the fact that its victims are always Russian businesses and it uses custom-made backdoor threats to deliver its final ransomware payloads. It should be noted that in one confirmed case, the group asked its victims for a ransom of $3 million, which could explain the lack of urgency to be constantly active.

Backdoor Details

The latest operations of OldGremlin include two phishing attacks that deliver a new backdoor threat named TinyFLuff Backdoor. TinyFluff appears to be a modified and updated variant of an older OldGremlin backdoor threat tracked as TinyNode. The researchers at Group-IB have observed two different variants of TinyFluff. The earlier one is more complex while the more recent variant has been streamlined and simplified to facilitate use on the fly. The backdoor threat is likely to be further optimized for any future attacks.

TinyFluff will launch a Node.js interpreter and provide the hackers with access to the breached devices. However, before being fully activated, the threat will check the compromised system for signs of virtualization or a test environment. Afterward, TinyFluff will move on to the reconnaissance stage of the attack operation. The commands received by the backdoor arrive in clear text form, allowing the cybersecurity researchers to easily examine them.

According to their findings, TinyFluff can be instructed to start collecting system information, information about any connected drives and the plugging installed on the system. The threat also is capable of launching a cmd.exe shell to execute commands. It al can obtain information about files contained in specific directories on the system's drive. Finally, TinyFluff can terminate the activities of the Node.js interpreter.