The Russia-linked threat actor known as Turla has been observed using a new backdoor called TinyTurla-NG as part of a three-month campaign targeting Polish non-governmental organizations in December 2023.
“TinyTurla-NG, just like TinyTurla, is a small ‘last chance’ backdoor that is left behind to be used when all other unauthorized access mechanisms/backdoors have failed or have been detected on infected systems,” Cisco Talos said in a technical report published today.
TinyTurla-NG is so named because it shows similarities to TinyTurla, another implant used by the adversary collective in intrusions targeting the United States, Germany, and Afghanistan since at least 2020. TinyTurla was first documented by the cybersecurity firm in September 2021.
Turla, also known by the names Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, Uroburos, and Venomous Bear, is a Russian state-affiliated threat actor linked to the Federal Security Service (FSB).
In recent months, the threat actor has targeted the defense sector in Ukraine and Eastern Europe with a new .NET-based backdoor called DeliveryCheck, while upgrading its second-stage facility called Kazuar, which it has used as already in 2017.
The latest campaign involving TinyTurla-NG dates back to December 18, 2023 and is said to have continued until January 27, 2024. However, based on the malware’s compilation dates, it is suspected that the activity may have actually started in November 2023.
It is currently unknown how the backdoor is deployed in victim environments, but it has been found to use compromised WordPress-based websites as a command and control (C2) endpoint to retrieve and execute instructions, allowing it to execute commands via PowerShell or Command Prompts (cmd.exe) and file download/upload.
TinyTurla-NG also acts as a conduit to deliver PowerShell scripts named TurlaPower-NG designed to exfiltrate key material used to protect the password databases of popular password management software in the form of a ZIP archive.
The disclosure comes as Microsoft and OpenAI revealed that Russian state actors are exploring generative artificial intelligence (AI) tools, including large language models (LLMs) like ChatGPT, to understand satellite communications protocols, radar imaging technologies and seek help with scripting. assignments.