February 22, 2024 at 10:51AM
Turla, a Russian state-sponsored threat actor, has deployed a new backdoor called TinyTurla-NG in recent attacks on NGOs in Poland. The malware, an evolution of TinyTurla, was first used in December 2023 and is designed for implant administration and file management. Turla also deployed other tools in this attack.
From the meeting notes, it is clear that the Russian state-sponsored threat actor Turla has been observed deploying a new backdoor named TinyTurla-NG in recent attacks targeting non-governmental organizations (NGOs) in Poland. This new backdoor represents an evolution of TinyTurla and was first deployed in December 2023 against a Polish NGO supporting Ukraine. At least three different backdoor samples were used in the campaign, which was active at the end of January 2024.
The attackers used compromised sites running vulnerable versions of WordPress for command-and-control (C&C) purposes, allowing them to upload PHP files and host PowerShell scripts and commands for execution on victim machines. The code of TinyTurla-NG differs from its predecessor, and it accepts command codes for implant administration and file management.
Additionally, malicious PowerShell scripts called TurlaPower-NG were identified, designed to harvest specific files for exfiltration, particularly focusing on password databases and management software. The attackers also issued modular PowerShell commands for reconnaissance, file copying, and credential exfiltration.
Furthermore, the compromised WordPress sites were used both as a handler for the implants and as a web shell for remote command execution on the compromised domain. The attackers also deployed a modified version of the GoLang-based tunneling tool Chisel, credential harvesting scripts targeting Chrome and Edge, and a tool for executing commands with high privileges.
Overall, Turla has been active since at least 2006 and is believed to be operating on behalf of the Russian government. This information is important for understanding the tactics and tools used in the recent attacks and for enhancing cybersecurity measures.
Please let me know if you need any further details or if there are specific actions to be taken based on these takeaways.