Turla

Turla APT, the Russian state-sponsored hacker group, has been found using a new malware named TinyTurla. It’s a unidentified backdoor from the Turla APT group.

This malware got the attention of researchers when it targeted Afghanistan before the Taliban’s recent takeover of the government. It was found getting used in recent attacks against countries including the U.S. and Germany.The malware is most likely used as a second-stage dropper to infect the system with additional malware, opined experts.

The attackers used the TinyTurla backdoor as a backup to maintain access to the system if the primary access is somehow removed. It performs tasks such as uploading, downloading, and executing files.

The attackers reused infected servers for their operations, which are usually assessed using SSH. The attackers used a BAT file to install the backdoor. It comes disguised as a DLL file impersonating a valid Windows Time Service. The malware contacts the C2 server every five seconds. It creates unusual network traffic that could be easily detected as suspicious.

The Turla APT group managed to hide their new backdoor for around two years without being detected. It displays that threat actors have improved in evading conventional modes of detection by hiding under the guise of legit services. Organizations are recommended to have automated security solutions to detect and prevent such malicious services.