29th September 2021, Kathmandu
State-sponsored hackers affiliated with Russia are abaft an incipient series of intrusions utilizing an aforetime undocumented implant to compromise systems in the U.S., Germany, and Afghanistan.
Cisco Talos attributed the assailants to the Turla advanced assiduous threat (APT) group, coining the malware “TinyTurla” for its inhibited functionality and efficient coding style that sanctions it to go undetected. Attacks incorporating the backdoor are believed to have occurred since 2020.
“This simple backdoor is likely utilized as a second-chance backdoor to maintain access to the system, even if the primary malware is abstracted,” the researchers verbally expressed. “It could withal be utilized as a second-stage dropper to infect the system with adscititious malware.” Furthermore, TinyTurla can upload and execute files or exfiltrate sensitive data from the infected machine to a remote server, while additionally polling the command-and-control (C2) station every five seconds for any incipient commands.
Withal kenned by the monikers Snake, Venomous Bear, Uroburos, and Iron Hunter, the Russian-sponsored espionage outfit is notorious for its cyber offensives targeting regime entities and embassies spanning across the U.S., Europe, and Eastern Bloc nations. The TinyTurla campaign involves the utilization of a. BAT file to deploy the malware, but the exact intrusion route remains obscure as yet.
The novel backdoor which camouflages as an innocuous but fake Microsoft Windows Time Accommodation (“w32time.dll”) to fly under the radar is orchestrated to register itself and establish communications with an assailer-controlled server to receive further injunctive authorizations that range from downloading and executing arbitrary processes to uploading the results of the commands back to the server.
TinyTurla’s links to Turla emanate from overlaps in the modus operandi, which has been antecedently identified as identically tantamount infrastructure utilized by the group in other campaigns in the past. But the assailants withal stand in stark contrast to the outfit’s historical covert campaigns, which have included compromised web servers and hijacked satellite connections for their C2 infrastructure, not to mention evasive malware like Crutch and Kazuar.
“This is a good example of how facile malignant accommodations can be overlooked on today’s systems that are clouded by the myriad of legit accommodations running in the background at all times,” the researchers noted.
“It’s more paramount now than ever to have multi-layered security architecture in place to detect these kinds of attacks. It isn’t unlikely that the adversaries will manage to bypass one or the other security measures, but it is much harder for them to bypass all of them.”