Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

Russian State Hackers Use New TinyTurla Malware As Secondary Backdoor

Russian State Hackers Use New TinyTurla Malware As Secondary Backdoor

Russian state-sponsored hackers known as the Turla APT group have been using new malware over the past year that acted as a secondary persistence method on compromised systems in the U.S., Germany, and Afghanistan.

Named TinyTurla due to its limited functionality and uncomplicated coding style, the backdoor could also be used as a stealthy second-stage malware dropper.

Simple and efficient

Security researchers at Cisco Talos say that TinyTurla is a “previously undiscovered” backdoor from the Turla APT group that has been used since at least 2020, slipping past malware detection systems particularly because of its simplicity.

“This malware specifically caught our eye when it targeted Afghanistan prior to the Taliban’s recent takeover of the government there and the pullout of Western-backed military forces” – Cisco Talos

Forensic evidence indicates that Turla APT (advanced persistent threat) actors have been targeting the previous Afghan government with the newly discovered backdoor.https://www.ad-sandbox.com/static/html/sandbox.html

However, Cisco Talos’ telemetry data, which is how the researcher discovered the new malware, shows that TinyTurla has also been deployed on systems in the U.S. and Germany.

Also Read: Got Hacked? Here Are 5 Ways to Handle Data Breaches

Linking the TinyTurla backdoor to the Russian state hackers was possible because the threat actor used the same infrastructure seen in other attacks attributed to the Turla APT group.

“One public reason why we attributed this backdoor to Turla is the fact that they used the same infrastructure as they used for other attacks that have been clearly attributed to their Penguin Turla infrastructure” – Cisco Talos

In research published today, the researchers say that the hackers used the malware “as a second-chance backdoor to maintain access to the system” if the primary access tool got removed.

Compared to a full-fledged backdoor, TinyTurla’s functionality is limited to essential tasks that include downloading, uploading, and executing files.

Looking at the codes received from the command and control (C2) server, the researchers collected the following commands:

  • 0x00: ‘Authentication’
  • 0x01: ‘Execute process’
  • 0x02: ‘Execute with output collection’
  • 0x03: ‘Download file’
  • 0x04: ‘Upload file’
  • 0x05: ‘Create Subprocess’
  • 0x06: ‘Close Subprocess ‘
  • 0x07: ‘Subprocess pipe in/out’
  • 0x08: ‘Set TimeLong’
  • 0x09: ‘Set TimeShort’
  • 0x0A: ‘Set new ‘Security’ password’
  • 0x0B: ‘Set Host(s)’

Since the malware was found through telemetry collection, it remains unknown how it landed on victim systems. Cisco Talos provides some technical details, though, in a blog post today.

The threat actor used a .BAT file to install the backdoor. It comes disguised as a DLL file (w64time.dll) to impersonate w32time.dll, a legitimate Windows Time Service.

TinyTurla disguised as Windows Time Service
source: Cisco Talos

Camouflaging as a service is what made TinyTurla evade detection because the large number of legitimate services active in the background makes it difficult for admins to check if a malicious one hides among them.

The analysis of the malware showed that it is contacting the C2 server every five seconds, which creates an anomaly in the network traffic that administrators should investigate.

Despite this tell, though, Turla was able to use this backdoor for almost two years, the researchers say.

Turla history goes way back

TinyTurla’s simplicity contrasts Turla’s typical tactics, which include covert exfiltration methods using hijacked satellite connectionswatering hole attacks, rootkits, and stealthy channel backdoors.

The APT group is referred to by various names (e.g. Waterbug, Venomous Bear, Iron Hunter, Krypton, Snake, Uroburos) in the infosec industry.

It has been targeting victims across a wide range of industries for espionage and data theft since at least 2014.

The early history of the group may go as far back as 1996, though, connected to the Moonlight Maze cyberespionage operation, a massive data breach targeting classified information on systems from NASA, the Pentagon, military contractors, and multiple government agencies in the U.S.

Also Read: PDPA Singapore Guidelines: 16 Key Concepts For Your Business

According to investigators, had the stolen documents been printed, the stack would be three times taller than the Washington Monument.

Almost 20 later, researchers from Kaspersky Lab and King’s College London found a link between Turla and malware used in the Moonlight Maze attack.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us