TinyTurla Backdoor, a State-sponsored Turla APT Malware, Hits Germany & the U.S.

The Turla Advanced Persistent Threat (APT) group continues to be one of the most notorious, state-sponsored Russian hackers. They have been active in the hacking scene for nearly a decade, and they are constantly evolving their approaches and arsenal. One of the latest additions to the hacking tools they use is a rework of the Turla backdoor. The new threat, however, has had some of its features cut off – hence why it is named the TinyTurla Backdoor. Despite the slightly limited functionality, it is still a very dangerous threat that could provide the hackers with long-term access to the infiltrated system.

It appears that the current TinyTurla Backdoor campaign focuses on acquiring persistence on the hacked machine and then use the implant to deliver a secondary payload. The simplistic coding style and limited functionality of the TinyTurla Backdoor have enabled it to stay under the radar for a while, evading some security measures. However, you can rest assured that nowadays, antivirus software will catch it with ease.

Currently, active instances of the TinyTurla Backdoor have been identified in Germany and the United States. However, it is very likely that the Turla hackers have gone after other regions as well. Similarities between the code of this backdoor and other Turla implants are not the only reason to believe that the group is behind this project – they also use the same network infrastructure.

What does TinyTurla Backdoor Do?

The features of the TinyTurla Backdoor, while limited, can still cause a lot of trouble. Some of the commands that this implant can execute are:

  • Authenticate the user trying to access the implant – probably to prevent analysts from trying to control and analyze the implant.
  • Execute remote commands/files, and then log the output to the command-and-control (C&C) server.
  • Download or upload files.
  • Switch the authentication password, as well as the C&C server.

So far, the infection vector the Turla hackers use to deliver this backdoor is not clear. However, active copies of the implant were using a DLL related to the Windows Time Service as a disguise. It is not uncommon for malicious files to try and mimic legitimate software packages or files they use.

The Turla APT's activity has been the focus of malware researchers since 2014. However, cybersecurity researchers believe that the state-sponsored group's activity may be traced back to the 2000s.

September 22, 2021