Rewterz Threat Alert – Russian Turla APT Group Uses Novel TinyTurla-NG Backdoor to Launch Attacks on Polish NGOs – Active IOCs

Severity

High

Analysis Summary

Turla is a well-known cyber espionage group with ties to the Russian Intelligence Service, specifically the Federal Security Service (FSB). Active since at least 2004, the group targets various sectors, including government, military, education, research, pharmaceutical, and NGOs by utilizing custom tools and malware for their operations.

Security researchers notably uncovered the TinyTurla-NG malware while investigating a compromise at a Polish NGO supporting Ukraine. The malware, targeting the NGO since December, aims to exfiltrate master passwords for popular password management software. It actively targets multiple NGOs in Poland, exploiting vulnerabilities in WordPress websites for command and control purposes.

TinyTurla-NG operates as a backdoor, ensuring persistent access to compromised systems even if other mechanisms are removed. It is deployed as a service DLL started through svchost.exe and utilizes various threads for its functionalities. The malware is controlled through commands stored on compromised WordPress sites, allowing the threat actor to manipulate its behavior, change sleep intervals, switch shells, fetch or exfiltrate files, and create batch files for execution.

The malware targets passwords used for unlocking password management software or databases. These passwords are wrapped into .ZIP archives and exfiltrated to the command-and-control (C2) servers. The scripts exclude video files during the enumeration stage. Although at least three variants of TinyTurla-NG exist, researchers could only access two of them. The campaign likely began in November 2023, with Turla maintaining access to the target infrastructure between December 18 and January 27. Despite differences in code, TinyTurla-NG shares similarities with the older TinyTurla implant, serving as a “secret backdoor” for persistent access.

The analysis underscores the sophisticated tactics employed by the Turla APT group, utilizing advanced malware like TinyTurla-NG to conduct cyber espionage operations, particularly targeting NGOs and leveraging vulnerabilities in WordPress websites for command and control purposes.

Impact

• Cyber Espionage
• Sensitive Data Theft
• Data Exfiltration

Indicators of Compromise

Domain Name

• hanagram.jp
• caduff-sa.ch

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Conduct regular security awareness training to educate employees about phishing threats and safe email practices.
• Enable multi-factor authentication (MFA) to strengthen account security and prevent unauthorized access.
• Implement robust email filtering mechanisms to identify and block phishing emails, reducing the risk of malware delivery.
• Ensure timely updates and patches for all software, including Microsoft Exchange servers, to address known vulnerabilities.
• Segregate critical systems and sensitive data from the rest of the network through network segmentation to limit lateral movement.
• Deploy comprehensive endpoint protection solutions to detect and block malware and ransomware, safeguarding devices from compromise.
• Collaborate with cybersecurity organizations and law enforcement agencies to share threat intelligence and stay informed about emerging threats.
• Develop and regularly update an incident response plan to efficiently handle cyber attacks, reducing downtime and minimizing the impact of a breach.