Security researchers have identified and analyzed new malware they call TinyTurla-NG and TurlaPower-NG used by the Russian hacker group Turla to maintain access to a target’s network and to steal sensitive data.
The threat actor used multiple websites running vulnerable versions of WordPress for command and control (C2) purposes and to host malicious PowerShell scripts.
Turla is a cyber espionage threat group active since at least 2004 and linked to a Russian intelligence service, specifically the Federal Security Service (FSB).
It focuses on targeting organizations in various sectors (e.g. government, military, education, research, pharmaceutical, NGO) using custom tools and malware.
WordPress sites for command and control
Cisco Talos security researchers discovered TinyTurla-NG while investigating a compromise in collaboration with CERT.NGO at a Polish non-governmental organization supporting Ukraine during the Russian invasion.
The malware targeted the NGO as early as last December and deployed the TurlaPower-NG PowerShell scripts to exfiltrate master passwords for popular password management software.
According to the researchers, TinyTurla-NG is actively targeting multiple NGOs in Poland.
The C2 servers used in the TinyTurla-NG campaign are legitimate but vulnerable WordPress websites, which the threat actor breaches to set up scripts, infection logging, and directories necessary to communicate with the implant and to store stolen data.
The TinyTurla-NG malware acts as a backdoor and its purpose is to provide the threat actor access to the compromised system when all other mechanisms fail or when they’ve been detected and removed.
The technical report from Cisco Talos explains that TinyTurla-NG is a service DLL started through svchost.exe and the malware’s features are distributed via various threads.
Using commands stored on compromised websites with an outdated WordPress version, the hackers can control TinyTurla-NG with the following commands:
- timeout: changes the number of minutes the backdoor sleeps between asking the C2 for new tasks
- changeshell: instructs the backdoor to switch the current shell executing commands, i.e., from cmd.exe to PowerShell.exe, or vice versa.
- changepoint: likely used to instruct on switching to the second C2 URL available in the implant.
- get: fetches a file specified by the C2 using an HTTP GET request and writes it to a specified location on the disk
- post: exfiltrates a file from the victim to the C2
- killme: creates a BAT file with a name based on a given parameter
Data exfiltration is done using malicious PowerShell scripts, which the researchers named TurlaPower-NG, delivered through the new backdoor.
“The scripts consist of the C2 URL and target file paths. For each file path specified, the script will recursively enumerate files and add them to an archive on disk” – Cisco Talos
During the enumeration stage, the scripts exclude video files with the .MP4 extension. The targeted data are passwords that unlock password management software or databases, which are wrapped into a .ZIP archive.
There are at least three variants of the TinyTurla-NG backdoor but the researchers could get access to only two of them.
Based on the findings, Turla had access to the target infrastructure between December 18 and January 27. However, according to the malware compilation dates, the campaign likely started as early as November last year.
While TinyTurla-NG’s code is different from the threat actor’s older TinyTurla implant, they both have the same use acting as a “secret backdoor” that continues to provide access when other methods become unsuccessful. The two implants share similarities in coding style and functionality implementation.
Cisco Talos makes available a small set of indicators of compromise for TinyTurla-NG in both .TXT and .JSON format.