The Russia-linked criminal actor known as Turla infected several systems belonging to an unnamed European non-governmental organization (NGO) to install a backdoor called TinyTurla-NG.
“The attackers compromised the first system, established persistence, and added exclusions to antivirus products running on these endpoints as part of their preliminary post-compromise actions,” Cisco Talos said in a new report released today.
“Turla then opened up additional communication channels via Chisel for data exfiltration and targeting additional accessible systems in the network.”
There is evidence indicating that infected systems were breached as early as October 2023, with Chisel implemented in December 2023 and data exfiltration occurring via the tool a month later, around January 12, 2024.
TinyTurla-NG was first documented by the cybersecurity firm last month after it was discovered to be used in connection with a cyberattack against a Polish NGO working to improve Polish democracy and support Ukraine during the Russian invasion.
Cisco Talos told The Hacker News at the time that the campaign appears to be highly targeted and focused on a small number of organizations, most of which are located in Poland.
The attack chain involves Turla leveraging their initial access to configure Microsoft Defender antivirus exclusions to evade detection and delete TinyTurla-NG, which is then persisted by creating a malicious “sdm” service masquerading as a “System Device Manager” service “.
TinyTurla-NG serves as a backdoor to conduct follow-up reconnaissance, exfiltrate files of interest on a command and control (C2) server, and deploy a customized version of the Chisel tunneling software. The exact intrusion path is still being studied.
“Once attackers gain access to a new box, they will repeat their activities to create Microsoft Defender exclusions, delete malware components, and create persistence,” Talos researchers said.