Summary:
Cisco Talos has provided updated details on a new campaign where the Russian espionage group Turla deployed their custom backdoor dubbed TinyTurla-NG to infect multiple systems in the compromised network of a European non-government organization (NGO). While it’s unclear how exactly the group gained initial access, Turla in the past has initiated drive-by compromises and employed phishing lures to obtain a foothold into victim environments.

In the latest campaign, researchers note that initial access is followed by adding exclusions in the anti-virus software, including Microsoft Defender, to locations where the group will host the backdoor on the compromised systems. This is followed by the employment of one or more batch (BAT) files designed to create a service on the system to set up persistence for the TinyTurla-NG implant. According to Cisco Talos, this service is created with the name “sdm” masquerading as a “System Device Manager” service - a method employed to evade detection. Once initiated this service will start the execution of TinyTurla-NG, which can be further used to conduct reconnaissance of the targeted system and other operations such as data exfiltration, credential harvesting, etc. Notably, researchers highlight the deployment of a custom-built Chisel beacon using TinyTurla-NG which can be used to set up a reverse proxy tunnel to an attacker-controlled box to help with the exfiltration process and even move laterally to other systems.

Security Officer Comments:
The latest attack seems to be an ongoing campaign with the group targeting NGOs including those residing in Poland. These attacks are likely in retaliation to the support Ukraine has been receiving in the ongoing war with Russia, as entities in the U.S., European Union, Ukraine, and Asia have also been the target of Turla attacks. As the conflict in Ukraine persists, Turla continues to expand its suite of malware with payloads like TinyTurla-NG and go after allies of Ukraine to support Russia’s strategic and political goals.

Suggested Corrections:
Turla typically uses compromised WordPress sites to set up its C2 servers, highlighting the need for admins of content management sites to regularly update third-party plugins for known vulnerabilities, rotate and change default passwords, and implement multi-factor authentication. Given Turla employs phishing lures to infect potential targets, organizations should train employees on different phishing techniques and hold regular tabletop exercises to increase awareness and proficiency in detecting/deterring potential attacks.

Latest Turla IOCs:
https://blog.talosintelligence.com/tinyturla-full-kill-chain/

Link(s):
https://thehackernews.com/2024/03/russia-hackers-using-tinyturla-ng-to.html