A new backdoor used by the Russian Turla APT group to keep the attacks live has been discovered, which has been reported to be active in the U.S., Germany and Afghanistan in recent times. It is also known as TinyTurla, due to its simple and efficient capability to go undetected; the malware is like a second door to ensure the infected devices remain accessible even if the earlier malware has been detected and wiped off.
Discovered by Cisco Talos’ telemetry data, the researchers shared that the hackers used the malware “as a second-chance backdoor to maintain access to the system” if the primary access tool got removed.
⚠️⚠️ @TalosSecurity discovered new #malware used by the Russian #Turla APT group to keep a secret backdoor on victim machines. Get all the details, including ways our customers can detect and block this threat below 👇 https://t.co/d9cSiFYutW
— Cisco Secure (@CiscoSecure) September 21, 2021
The malware can be used stealthily to download, upload and/or execute files. The backdoor code is designed in a simple manner to allow it to be off the security radar.
Attack TTPs
The threat actor uses a .BAT file that resembles the Microsoft Windows Time Service, to install the backdoor. The backdoor comes in the form of a service dynamic link library (DLL) called w64time.dll. The description and filename make it look like a valid Microsoft DLL. Once up and running, it allows the attackers to exfiltrate files or upload and execute them, thus functioning as a second-stage postern when needed.
Per the Cisco Talos researchers, the malware’s DLL ServiceMain startup function doesn’t do much beyond executing a function they called “main malware” that includes the backdoor code. Referring to the DLL as “pretty simple”: It consists of just a few functions and two “while” loops, including “the whole malware logic.”
About Turla APT
A Russian-sponsored APT group, Turla is also known as Waterbug, Venomous Bear and KRYPTON, has been in operation since the early 2000s. The group is known for targeting government entities and embassies across countries. It is believed to be behind attacks on the U.S. State Department, NASA, U.S. Central Command (CENTCOM) and various embassies located in European countries.
Its ability to remain undetected for extended periods of time has enabled the malware to evolve and come up with new techniques to attack. After the initial installation of the malware, the success depends on its continued stealthy communication with the attackers and exfiltration of data (also known as command and control or C2).
Forbid the Trojan
Enterprises can contain Turla by keeping the operating system and all third-party applications updated.
- Do not run or install software or updates from untrusted sources
- Look out for emails containing suspicious attachments or links
- Ensure you are using an antimalware network appliance, a domain name system malware analysis tool, a network anomaly detection tool, or advanced endpoint security tools.
