State-sponsored hackers affiliated with Russia are behind a new series of intrusions using a previously undocumented implant to compromise systems in the U.S., Germany, and Afghanistan.
Cisco Talos attributed the attacks to the Turla advanced persistent threat (APT) group, coining the malware “TinyTurla” for its limited functionality and efficient coding style that allows it to go undetected. Attacks incorporating the backdoor are believed to have occurred since 2020.
“This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed,” the researchers said. “It could also be used as a second-stage dropper to infect the system with additional malware.” Furthermore, TinyTurla can upload and execute files or exfiltrate sensitive data from the infected machine to a remote server, while also polling the command-and-control (C2) station every five seconds for any new commands.
Also known by the monikers Snake, Venomous Bear, Uroburos, and Iron Hunter, the Russian-sponsored espionage outfit is known for its cyber offensives targeting government entities and embassies spanning across the U.S., Europe, and Eastern Bloc nations. The TinyTurla campaign involves the use of a .BAT file to deploy the malware, but the exact intrusion route remains unclear as yet.
The novel backdoor — which camouflages as an innocuous but fake Microsoft Windows Time Service (“w32time.dll“) to fly under the radar — is orchestrated to register itself and establish communications with an attacker-controlled server to receive further instructions that range from downloading and executing arbitrary processes to uploading the results of the commands back to the server.
TinyTurla’s links to Turla come from overlaps in the modus operandi, which has been previously identified as the same infrastructure used by the group in other campaigns in the past. But the attacks also stand in stark contrast to the outfit’s historical covert campaigns, which have included compromised web servers and hijacked satellite connections for their C2 infrastructure, not to mention evasive malware like Crutch and Kazuar.
“This is a good example of how easy malicious services can be overlooked on today’s systems that are clouded by the myriad of legit services running in the background at all times,” the researchers noted.
“It’s more important now than ever to have a multi-layered security architecture in place to detect these kinds of attacks. It isn’t unlikely that the adversaries will manage to bypass one or the other security measures, but it is much harder for them to bypass all of them.”