February 15, 2024 at 10:03AM
Security researchers discovered new malware known as TinyTurla-NG and TurlaPower-NG, being used by the Russian hacker group Turla. The group exploits vulnerable WordPress websites for command and control purposes. Targeting organizations across various sectors, they aim to steal sensitive data using custom tools and malware. The malware’s purpose is to offer backdoor access to compromised systems.
Key findings from the meeting notes are as follows:
1. Security researchers have identified and analyzed new malware called TinyTurla-NG and TurlaPower-NG, which have been used by the Russian hacker group Turla for cyber espionage activities.
2. Turla primarily targets organizations in various sectors such as government, military, education, research, pharmaceutical, and NGOs using custom tools and malware.
3. The malware, TinyTurla-NG, was discovered by Cisco Talos and was used for command and control purposes by the threat actor. It is actively targeting multiple NGOs in Poland and uses vulnerable WordPress sites as C2 servers.
4. TurlaPower-NG, a PowerShell script, was deployed by TinyTurla-NG to exfiltrate master passwords for popular password management software from a Polish non-governmental organization supporting Ukraine.
5. The data exfiltration is achieved using TurlaPower-NG which creates a .ZIP archive containing passwords that unlock password management software or databases.
6. There are at least three variants of the TinyTurla-NG backdoor, and researchers could only access two of them. The campaign likely started as early as November last year.
7. Both TinyTurla-NG and its older implant act as a “secret backdoor” to maintain access when other methods are unsuccessful, demonstrating similarities in coding style and functionality.
8. Cisco Talos has made available a small set of indicators of compromise for TinyTurla-NG in both .TXT and .JSON format.
These are the key takeaways from the meeting notes. Let me know if you need any further information.