Jump to content
  • Russian Turla APT Group Deploying New Backdoor on Targeted Systems

    aum

    • 450 views
    • 3 minutes
     Share


    • 450 views
    • 3 minutes

    State-sponsored hackers affiliated with Russia are behind a new series of intrusions using a previously undocumented implant to compromise systems in the U.S., Germany, and Afghanistan.

     

    Cisco Talos attributed the attacks to the Turla advanced persistent threat (APT) group, coining the malware "TinyTurla" for its limited functionality and efficient coding style that allows it to go undetected. Attacks incorporating the backdoor are believed to have occurred since 2020.

     

    "This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed," the researchers said. "It could also be used as a second-stage dropper to infect the system with additional malware." Furthermore, TinyTurla can upload and execute files or exfiltrate sensitive data from the infected machine to a remote server, while also polling the command-and-control (C2) station every five seconds for any new commands.

     

    Also known by the monikers Snake, Venomous Bear, Uroburos, and Iron Hunter, the Russian-sponsored espionage outfit is known for its cyber offensives targeting government entities and embassies spanning across the U.S., Europe, and Eastern Bloc nations. The TinyTurla campaign involves the use of a .BAT file to deploy the malware, but the exact intrusion route remains unclear as yet.

     

    The novel backdoor — which camouflages as an innocuous but fake Microsoft Windows Time Service ("w32time.dll") to fly under the radar — is orchestrated to register itself and establish communications with an attacker-controlled server to receive further instructions that range from downloading and executing arbitrary processes to uploading the results of the commands back to the server.

     

    hacking.jpg

     

    TinyTurla's links to Turla come from overlaps in the modus operandi, which has been previously identified as the same infrastructure used by the group in other campaigns in the past. But the attacks also stand in stark contrast to the outfit's historical covert campaigns, which have included compromised web servers and hijacked satellite connections for their C2 infrastructure, not to mention evasive malware like Crutch and Kazuar.

     

    "This is a good example of how easy malicious services can be overlooked on today's systems that are clouded by the myriad of legit services running in the background at all times," the researchers noted.

     

    "It's more important now than ever to have a multi-layered security architecture in place to detect these kinds of attacks. It isn't unlikely that the adversaries will manage to bypass one or the other security measures, but it is much harder for them to bypass all of them."

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...