May 21, 2024 at 10:59AM
A Russia-linked APT group is deploying the TinyTurla backdoor via a campaign that uses socially engineered emails and fileless payload. The campaign targets individuals and entities in the Philippines, with the TinyTurla backdoor connected to the long-running Russia-sponsored threat actor, Turla. The attackers impersonate legitimate authorities and employ sophisticated techniques to avoid detection. Defenders are advised to deploy strong email-filtering systems, exercise caution with email attachments, and limit the use of certain tools to reduce the risk of unauthorized usage by threat actors.
The meeting notes indicate that a Russia-linked advanced persistent threat (APT) group has been utilizing PDF and MSBuild project files in a campaign using socially engineered emails to deliver the TinyTurla backdoor as a fileless payload. The campaign targets individuals and entities in the Philippines and demonstrates a notable evolution in sophistication. The threat actor, Turla, is believed to be behind the malicious activity, and the campaign’s seamless delivery routine makes it difficult to detect.
The campaign begins with spam emails containing a document that lures victims into installing the TinyTurla backdoor. When a victim clicks on the document, it triggers a series of operations that ultimately lead to the execution of the backdoor, allowing threat actors to carry out subsequent malicious activities while avoiding detection and enhancing their control over compromised systems.
To avoid compromise by Turla and other APTs, it is recommended to deploy strong email-filtering systems, advise employees to exercise caution when handling email attachments or links, and limit the use of MSBuild and scripting languages to authorized personnel or specific systems.
Please let me know if you need further information or assistance with anything else.