State-sponsored cybercriminals linked to Russia are employing a “previously undiscovered” backdoor to target systems in the United States, Afghanistan, and Germany.
The attacks were linked to the Turla advanced persistent threat (APT) gang, with malware being dubbed as “TinyTurla” because of its minimal functionality and efficient coding style, letting it go undetected. These backdoor attacks have been happening since 2020.
According to a researcher, this simple backdoor is most likely used as a backup backdoor to keep access to the system after the original malware’s removal. It may potentially be used as a second-stage dropper, allowing other malware to infiltrate the machine.
Moreover, TinyTurla may upload and execute files from the infected system to a remote server and query the command-and-control (C2) station every five seconds for new commands.
This Russian-backed espionage group is well-known for its cyber-attacks on government institutions and embassies in the United States, Europe, and Eastern Bloc nations. The TinyTurla campaign uses a .BAT file to install the malware, although the specific infiltration route is unknown at this time.
The new backdoor sets itself up as a benign but phony Microsoft Windows Time Service (“w32time.dll“). It is designed to register and establish contacts with an attacker-controlled server to get additional instructions ranging from downloading and running arbitrary programs to submitting the results of the commands back to the server.
TinyTurla’s ties to Turla are based on similarities in the group’s modus operandi, which has already been recognized as the same infrastructure utilized by the group in previous campaigns. However, the attacks contrast sharply with the group’s last undercover operations, which have included hacked web servers and stolen satellite connections for its C2 infrastructure, as well as evasive malware like Crutch and Kazuar.
This is the best example of how malicious services may be easily ignored on today’s systems, obscured by a plethora of legitimate services operating in the background.
It’s more vital to have a multi-layered security architecture in place to identify these types of threats. The attackers can get around one or more security measures, but it’s far more difficult for them to go through all of them.