Turla APT Hackers Introduce the TinyTurla Backdoor

When talking about Russian hackers, there is no way not to mention the Turla APT (Advanced Persistent Threat) group. Their operations have been observed closely since 2014, and they are believed to be one of the major Russia-backed hacking groups. Their most notorious implant is named after the group itself – the Turla Backdoor. Of course, it has undergone major changes since its initial release, but the criminals continue to rely on their Trojan to this very day. In fact, they have recently unleashed a 'mini' version of the threat – the TinyTurla Backdoor. It preserves some of the original features of the Turla Backdoor, but it also lacks in certain aspects. However, the limited functionality allows it to stay hidden for extended periods, without raising too many red flags.

The lack of functionality is unlikely to be a problem for the Turla hackers since they appear to have a plan for how the TinyTurla Backdoor will come into use. Instead of executing fully-fledged attacks on its own, it is designed to gain persistence and then deploy additional payloads. This would explain why the criminals have opted to strip off some of its features and focus on evasiveness instead. 

The targets that the Turla APT hackers are interested in appear to be based in Germany and the United States. Of course, it probably will not be a long time before they expand the scope of this operation and deploy the TinyTurla Backdoor in more countries. 

Apart from borrowing the Turla Backdoor's code, the TinyTurla implant also leverages the same network configuration and servers, further cementing the connection between the infamous hackers and this mini backdoor Trojan. 

What do TinyTurla Backdoor's Capabilities Include?

While it lacks some notable features, it still has plenty of firepower to cause harm. The criminals are able to control the implant remotely through a set of pre-defined commands. Thanks to them, they can manage the file system, control processes, and even modify the network configuration. One interesting feature of the TinyTurla Backdoor is that it requires the criminals to authenticate themselves. This is likely to be meant to protect the implant from other criminals or nosy malware analysts.  So far, the TinyTurla Backdoor's activity remains fairly low. However, we are yet to see how this campaign of the Turla APT hackers will develop.