Russia-sponsored advanced persistent threat group Turla is now targeting Polish NGOs in a cyberespionage campaign that uses a freshly developed backdoor with modular capabilities, signaling an expansion of the scope of its attacks against supporters of the Ukrainian war effort.
TinyTurla-NG Custom Malware Goes Modular Like TinyTurla before it, TinyTurla-NG is a service DLL that's started via svchost.
The code of the malware is new, and different malware features are distributed via different threads in the implementation process, something that sets it apart from its predecessor.
The APT also hosts different PowerShell scripts and arbitrary commands that can be executed on the victim machine according to the attackers' needs, another deviation from previous backdoor capabilities, the researchers said.
It provides added capabilities such as such as the execution of commands via choice of two mechanisms - PowerShell or Windows Command Line Interface.
TinyTurla-NG also deploys a previously unknown PowerShell-based implant dubbed TurlaPower-NG aimed specifically at exfiltrating files that may be of interest to attackers, signaling another shift in the APT's tactics.
Turla: Old Dog, Old & New Tricks Turla is an experienced APT, operating for a number of years in attacks believed to be on behalf of the Russian government.
The group has used zero-days, legitimate software, and other techniques to deploy backdoors in systems belonging to militaries and governments, diplomatic entities, and technology and research organizations.
In one case, it was even linked, through its Kazuar backdoor, to the now-infamous SolarWinds breach.
The earliest compromise date of this latest campaign against Ukraine-supporting Polish NGOs was Dec. 18, and it remained active until as recently as Jan. 27 of this year, according to researchers.
There are some indications that it could have even started earlier, in November.
Though TinyTurla-NG and TurlaPower-NG are new forms of custom Turla malware used in the campaign, the group continues to employ old tactics as well, particularly for command-and control.
It continues to leverage compromised WordPress-based websites as C2s to host and operate the malware.
Defending Against Sophisticated APT Cyberattacks Cisco Talos included a list of both hashes and domains in its list of indicators of compromise for the latest Turla campaign, as well as a list of security solutions that can provide coverage for organizations worried about being targeted.
Cisco Talos also recommends that organizations use hands-on-keyboard activities such as archiving of files of interest and subsequent exfiltration to further protect themselves against targeted attacks.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 15 Feb 2024 15:50:34 +0000