March 21, 2024 at 12:57PM
Turla, a Russia-linked threat actor, infected European NGO systems with TinyTurla-NG backdoor, persisting and evading antivirus. They exploited initial access, exfiltrated data through Chisel, breached since Oct 2023, with a targeted campaign and customized malware. Turla’s activities involve Microsoft Defender exclusions and malicious service creation. Cisco Talos disclosed this in a recent report.
Meeting Notes Takeaways:
1. Russia-linked threat actor Turla infected systems of an unnamed European non-governmental organization using the backdoor TinyTurla-NG.
2. The attack involved initial compromise, persistence establishment, antivirus exclusions, data exfiltration via Chisel, and pivot to additional network systems.
3. Infected systems breached as early as October 2023, with Chisel deployed in December 2023 and data exfiltration around January 12, 2024.
4. TinyTurla-NG was previously used in a cyber attack targeting a Polish NGO and is associated with a highly targeted campaign focusing on a small number of organizations, largely in Poland.
5. The attack chain involves evading detection by configuring Microsoft Defender antivirus exclusions, dropping TinyTurla-NG, and persisting through a malicious “sdm” service masquerading as a “System Device Manager” service.
6. TinyTurla-NG acts as a backdoor for reconnaissance, file exfiltration to a command-and-control server, and deployment of a custom Chisel tunneling software.
7. Talos researchers highlighted the attackers’ repetitive approach of creating Microsoft Defender exclusions, dropping malware components, and establishing persistence upon gaining access to a new system.