Russian-sponsored Advanced Persistent Threat (APT) group Tower is now targeting Polish NGOs in a cyberespionage campaign that uses a newly developed backdoor with modular capabilities, signaling a broadening of the scope of its attacks against supporters of the Ukrainian war effort.
According to Cisco Talos blog post published today on Turla (also known as Snake, Urobouros, Venomous Bear or WaterBug), the backdoor used in the attacks, nicknamed “TinyTurla-NG”, has very similar functionality to APT’s well-known custom malware, the similarly named TinyTurla. It acts as a “last chance” backdoor that is left behind to be used when all other unauthorized access mechanisms/backdoors have failed or have been detected on infected systems,” Cisco Talos researchers wrote in the post.
TinyTurla-NG custom malware goes modular
Like TinyTurla before it, TinyTurla-NG is a service DLL started via svchost.exe. However, the malware code is new and different features of the malware are delivered via different threads in the implementation process, which distinguishes it from its predecessor.
The APT also hosts several PowerShell scripts and arbitrary commands that can be executed on the victim’s computer based on the attackers’ needs, another departure from previous backdoor capabilities, researchers said. Additionally, it provides additional functionality such as executing commands via your choice of two mechanisms: PowerShell or Windows Command Line Interface.
“This indicates that Turla is modularizing its malware into various components, likely to avoid detection and blocking of a single cumbersome backdoor responsible for everything on the infected endpoint,” a Cisco researcher told Dark Reading Talos.
TinyTurla-NG also implements a previously unknown PowerShell-based implant called TurlaPower-NG aimed specifically at exfiltrating files that attackers might be interested in, signaling another change in the APT’s tactics. In attacks on Polish NGOs, Turla used the PowerShell implant to protect the password databases of popular management software, “indicating a concerted effort by Turla to steal login credentials,” the researcher says.
Turla: old dog, old and new tricks
Turla is an experienced APT, operating for several years in attacks believed to be on behalf of the Russian government. The group used zero days, legitimate softwareAND other techniques to implement backdoors in systems belonging to armies and governments, diplomatic entitiesAND technology and research organizations. In one case, it was even connectedthrough the Kazuar backdoor, to the now infamous SolarWinds breach.
The first compromise date of this latest campaign against Polish NGOs supporting Ukraine was December 18, and it remained active until January 27 this year, according to researchers. There are some indications, however, that it could have started even earlier, in November.
Although TinyTurla-NG and TurlaPower-NG are new forms of customization Malware Tower used in the campaign, the group also continues to employ old tactics, particularly for command and control (C2). For example, it continues to exploit compromised WordPress-based websites like C2 to host and operate the malware.
“The operators use several websites running vulnerable versions of WordPress (including versions 4.4.20, 5.0.21, 5.1.18 and 5.7.2), which allowed the uploading of PHP files containing C2 code,” it reads in the post.
Defend yourself from sophisticated APT cyber attacks
Cisco Talos has included a list of hashes and domains in its Indicators of Compromise (IoC) list for the latest Turla campaign, as well as a list of security solutions that can provide cover for organizations worried about being targeted.
Overall, researchers recommend that organizations use “a layered defense model” that enables detection and blocking of malicious activity from initial compromise to final payload deployment to defend against sophisticated APT threats, says Cisco researcher Talos.
“It is critical that organizations detect and protect against such highly motivated and sophisticated adversaries across multiple attack surfaces,” says the researcher.
Cisco Talos also recommends that organizations use manual tasks such as archiving files of interest and subsequent exfiltration to further protect against targeted attacks.