February 15, 2024 at 09:56AM
Security researchers have discovered new malware called TinyTurla-NG and TurlaPower-NG, utilized by the Russian hacker group Turla for network access and data theft. Turla exploits vulnerable WordPress websites for command and control, targeting organizations across various sectors. The malware’s backdoor functionality and data exfiltration methods were detailed in a report by Cisco Talos.
The meeting notes highlight the activities of the Russian hacker group Turla, who have utilized malware named TinyTurla-NG and TurlaPower-NG to maintain access to target networks and steal sensitive data. It was discovered that the threat actors employed multiple vulnerable WordPress websites for command and control purposes. The malicious PowerShell scripts were used to exfiltrate master passwords for popular password management software, and TinyTurla-NG targeted several NGOs in Poland. The malware acts as a backdoor, providing the threat actors access to compromised systems and is initiated through svchost.exe. Furthermore, exfiltration of data is facilitated by TurlaPower-NG, which constructs .ZIP archives of targeted data including passwords. The researchers identified at least three variants of the TinyTurla-NG backdoor. Additionally, Cisco Talos has released a small set of indicators of compromise for TinyTurla-NG in both .TXT and .JSON format.