February 15, 2024 at 10:52AM
The Russia-sponsored APT group Turla launched a cyberespionage campaign targeting Polish NGOs, using a new backdoor named “TinyTurla-NG” with modular capabilities. The backdoor allows execution of PowerShell and Windows Command Line Interface commands, and a new implant, TurlaPower-NG, for exfiltrating files. Turla also employs old tactics like compromised WordPress-based websites for command and control. Cisco Talos recommends a layered defense model for protection.
Summary of Meeting Notes:
– Russia-sponsored APT group Turla is targeting Polish NGOs in a cyberespionage campaign using a newly developed backdoor, TinyTurla-NG, indicating an expansion of its attacks against supporters of the Ukrainian war effort.
– The backdoor has modular capabilities and shares similarities with the APT’s known custom malware, TinyTurla, and acts as a “last-chance” backdoor left behind for unauthorized access.
– TinyTurla-NG is a service DLL started via svchost.exe, and its code is new, with different malware features distributed via different threads, allowing the execution of commands via PowerShell or Windows Command Line Interface.
– Turla also deploys a PowerShell-based implant, TurlaPower-NG, aimed at exfiltrating files and stealing login credentials from victims in attacks on Polish NGOs.
– Turla, an experienced APT operating for years and linked to the SolarWinds breach, continues to use old tactics for command-and-control (C2), leveraging compromised WordPress-based websites.
– Cisco Talos recommends a layered defense model and hands-on-keyboard activities like file archiving and exfiltration for organizations to protect against these sophisticated APT threats.
Please let me know if you need further information or if there’s anything else I can assist you with.