Russian state hackers use new TinyTurla malware as secondary backdoor
Over the past year, Russian state-sponsored hackers known as the Turla APT group have used new malware that acted as a secondary persistence method on compromised systems in the United States, by Germany and Afghanistan.
Named TinyTurla due to its limited functionality and straightforward coding style, the backdoor could also be used as a second stage stealth malware dropper.
Simple and efficient
Cisco Talos security researchers say TinyTurla is a “previously unknown” backdoor to the Turla APT group that has been in use since at least 2020, eluding malware detection systems, especially because of its simplicity.
Forensic evidence indicates that Turla APT (Advanced Persistent Threat) actors targeted the previous Afghan government with the newly discovered backdoor.
However, telemetry data from Cisco Talos, which enabled the researcher to discover the new malware, shows that TinyTurla has also been deployed to systems in the United States and Germany.
Tying the TinyTurla backdoor to Russian state hackers was made possible because the threat actor used the same infrastructure seen in other attacks attributed to the Turla APT group.
In research released today, researchers say the hackers used the malware “as a second-chance backdoor to maintain system access” if the primary access tool was removed.
Compared to a full-fledged backdoor, TinyTurla’s functionality is limited to essential tasks which include uploading, downloading, and running files.
Looking at the codes received from the command and control server (C2), the researchers collected the following commands:
- 0x00: “Authentication”
- 0x01: “Execute the process”
- 0x02: “Run with output collection”
- 0x03: “Download file”
- 0x04: “Download file”
- 0x05: “Create a sub-process”
- 0x06: “Close the sub-process”
- 0x07: ‘Pipe in / out sub-process’
- 0x08: “Define long time”
- 0x09: “Define the short time”
- 0x0A: ‘Define a new’ Security ‘password
- 0x0B: “Define hosts”
Since the malware was found through telemetry collection, it is still unclear how it landed on the victims’ systems. Cisco Talos provides some technical details in a blog post today, however.
The malicious actor used a .BAT file to install the backdoor. It is disguised as a DLL file (w64time.dll) to masquerade as w32time.dll, a legitimate Windows time service.
Camouflage as a service is what allowed TinyTurla to evade detection, as the large number of legitimate services running in the background makes it difficult for administrators to verify if a malicious service is lurking among them.
Analysis of the malware showed that it contacts the C2 server every five seconds, creating an anomaly in the network traffic that administrators must investigate.
Despite this, Turla was able to use this backdoor for almost two years, according to the researchers.
Turla’s history goes back a long way
The simplicity of TinyTurla contrasts with typical Turla tactics, which include covert exfiltration methods using hijacked satellite connections, water point attacks, rootkits, and stealth channel backdoors.
The APT group is referred to by various names (eg Waterbug, Venomous Bear, Iron Hunter, Krypton, Snake, Uroburos) in the infosec industry.
It has been targeting victims across a wide range of industries for espionage and data theft since at least 2014.
The history of the beginnings of the group can however go back to 1996, linked to the Moonlight Maze Cyberespionage Operation, a massive data breach targeting classified information on systems from NASA, the Pentagon, military contractors and several government agencies in the United States
Investigators said if the stolen documents had been printed, the pile would be three times the size of the Washington Monument.
Almost 20 years later, researchers at Kaspersky Lab and King’s College London discovered a Link Between Turla And Malware Used In Moonlight Maze Attack.