TinyTurla-NG Backdoor Used Against Targets in Poland
The threat actor Turla, associated with Russia, has been observed employing a new backdoor named TinyTurla-NG in a campaign spanning three months targeting Polish non-governmental organizations in December 2023. According to a technical report by Cisco Talos, TinyTurla-NG functions as a small 'last chance' backdoor, intended for use when other unauthorized access mechanisms have failed or been detected on infected systems.
This backdoor shares similarities with TinyTurla, an implant previously utilized by the adversarial group in intrusions against the U.S., Germany, and Afghanistan since at least 2020. The cybersecurity company initially documented TinyTurla in September 2021.
Turla, also known by aliases such as Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, Uroburos, and Venomous Bear, is a Russian state-affiliated threat actor with links to the Federal Security Service (FSB). In recent months, Turla has focused on the defense sector in Ukraine and Eastern Europe, deploying a new .NET-based backdoor called DeliveryCheck. Additionally, Turla has upgraded its longstanding second-stage implant, Kazuar, utilized as early as 2017.
Table of Contents
TinyTurla-NG Last Deployed Around Christmas 2023
The latest campaign involving TinyTurla-NG took place between December 18, 2023, and January 27, 2024. However, suspicions suggest that the activity might have started in November 2023 based on malware compilation dates. The distribution method of the backdoor remains unknown, but it has been observed using compromised WordPress-based websites as command-and-control (C2) endpoints. These compromised sites are used to fetch and execute instructions, allowing TinyTurla-NG to run commands through PowerShell or Command Prompt (cmd.exe) and download/upload files.
Moreover, TinyTurla-NG serves as a conduit for delivering PowerShell scripts known as TurlaPower-NG, designed to exfiltrate key material used to secure password databases of popular password management software in the form of a ZIP archive. The campaign is described as highly compartmentalized, with a limited number of compromised websites acting as C2s contacting a few samples. This makes it challenging to pivot from one sample/C2 to others using the same infrastructure, providing confidence in their related nature.
A Closer Look at TinyTurla-NG
Similar to TinyTurla, the malware functions as a service DLL initiated through svchost.exe. Although the core malware code is distinct and novel, various malware functionalities are distributed across multiple threads. The malware utilizes Windows events for synchronization, with the initial main malware thread being launched within the DLL's ServiceMain function.
Following an assessment of PowerShell and Windows versions, the primary thread initiates communication with the command and control (C2) server by transmitting a campaign identifier ("id") along with the message "Client Ready" to indicate a successful infection registration with the C2.
Upon successful registration, the TTNG backdoor requests tasks to execute from the C2 server (via the gettask_loop function). The second thread, activated by the CheckOSVersion_Start_WorkerThreads function, executes the task commands received from the C2. This thread remains idle until the TTNG backdoor receives a response from the C2, with synchronization between the two threads facilitated through the previously mentioned Windows event. The first thread triggers this event (in the thread1_function) upon successfully receiving the task from the C2.
Tasks can be executed either through PowerShell or the command shell (cmd.exe), with the choice based on the version of PowerShell running on the infected machine.
TurlaPower Component
Talos has also identified malicious PowerShell scripts referred to as "TurlaPower-NG", which are deployed to compromised endpoints via the TTNG backdoor. These scripts contain the command and control (C2) URL and target file paths. Each specified file path undergoes recursive enumeration, and the files are subsequently added to an archive stored on disk. TurlaPower-NG is meticulously designed to exclude files with the ".mp4" extension from inclusion in the archive. The attackers exhibit a specific interest in obtaining key material utilized to safeguard password databases and popular password management software, thereby incorporating related files into the archive.
The archive, denoted by a ".zip" extension, is dynamically named by generating a new GUID, which serves as the archive's name. Subsequently, the archive file is transmitted to the C2 via HTTP/S POST requests, accompanied by a log detailing the executed activity. This log encompasses the name (or part) of the archive file posted to the C2, as well as the number of files contained within the archive and its overall size.
