Russian APT Turla Wields Novel Backdoor Malware Against Polish NGOs

10 months ago 35
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

An open laptop computer with the image of the red hammer and sickle communist symbol over it

Source: Science Photo Library via Alamy Stock Photo

Russia-sponsored advanced persistent threat group (APT) Turla is now targeting Polish NGOs in a cyberespionage campaign that uses a freshly developed backdoor with modular capabilities, signaling an expansion of the scope of its attacks against supporters of the Ukrainian war effort.

According to a Cisco Talos blog post published today on Turla (aka Snake, Urobouros, Venomous Bear, or WaterBug), the backdoor used in the attacks, dubbed "TinyTurla-NG," has functionalities very much like the APT's known custom malware, the similarly named TinyTurla. It acts as a "last-chance" backdoor "that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems," Cisco Talos researchers wrote in the post.

TinyTurla-NG Custom Malware Goes Modular

Like TinyTurla before it, TinyTurla-NG is a service DLL that's started via svchost.exe. However, the code of the malware is new, and different malware features are distributed via different threads in the implementation process, something that sets it apart from its predecessor.

The APT also hosts different PowerShell scripts and arbitrary commands that can be executed on the victim machine according to the attackers' needs, another deviation from previous backdoor capabilities, the researchers said. And, it provides added capabilities such as such as the execution of commands via choice of two mechanisms — PowerShell or Windows Command Line Interface. 

"This indicates that Turla is modularizing their malware into various components, likely to avoid detection and blocking of a single bulky backdoor responsible for everything on the infected endpoint," a Cisco Talos researcher told Dark Reading.

TinyTurla-NG also deploys a previously unknown PowerShell-based implant dubbed TurlaPower-NG aimed specifically at exfiltrating files that may be of interest to attackers, signaling another shift in the APT's tactics. In the attacks on Polish NGOs, Turla used the PowerShell implant to secure the password databases of popular management software, "indicating a concerted effort for Turla to steal login credentials," the researcher says.

Turla: Old Dog, Old & New Tricks

Turla is an experienced APT, operating for a number of years in attacks believed to be on behalf of the Russian government. The group has used zero-days, legitimate software, and other techniques to deploy backdoors in systems belonging to militaries and governments, diplomatic entities, and technology and research organizations. In one case, it was even linked, through its Kazuar backdoor, to the now-infamous SolarWinds breach.

The earliest compromise date of this latest campaign against Ukraine-supporting Polish NGOs was Dec. 18, and it remained active until as recently as Jan. 27 of this year, according to researchers. There are some indications, however, that it could have even started earlier, in November.

Though TinyTurla-NG and TurlaPower-NG are new forms of custom Turla malware used in the campaign, the group continues to employ old tactics as well, particularly for command-and control (C2). For instance, it continues to leverage compromised WordPress-based websites as C2s to host and operate the malware.

"The operators use different websites running vulnerable WordPress versions (versions including 4.4.20, 5.0.21, 5.1.18 and 5.7.2), which allowed the upload of PHP files containing the C2 code," according to the post.

Defending Against Sophisticated APT Cyberattacks

Cisco Talos included a list of both hashes and domains in its list of indicators of compromise (IoCs) for the latest Turla campaign, as well as a list of security solutions that can provide coverage for organizations worried about being targeted.

Overall, the researchers recommend that organizations use "a layered defense model" that allows for detection and blocking of malicious activity from initial compromise to final payload deployment to defend against sophisticated APT threats, the Cisco Talos researcher says.

"It is imperative that organizations detect and protect against such highly motivated and sophisticated adversaries across multiple attack surfaces," the researcher says.

Cisco Talos also recommends that organizations use hands-on-keyboard activities such as archiving of files of interest and subsequent exfiltration to further protect themselves against targeted attacks.

Read Entire Article