Russian-Linked Group Using Secondary Backdoor Against TargetsCisco Talos: Turla Deploying Malware Against US, German and Afghan Victims
A Russian-linked group known as Turla has been deploying a secondary backdoor against numerous targets to maintain persistence within compromised devices even after the primary malware has been discovered and removed from the infrastructure, according to a research report released by Cisco Talos this week.
The newly discovered backdoor, which the researchers call "TinyTurla," has been deployed against targets in the U.S. and Germany over the last two years. More recently, however, Turla has used the malware against government organizations and agencies in Afghanistan before the country was overtaken by the Taliban in August, according to the report.
"This malware specifically caught our eye when it targeted Afghanistan prior to the Taliban's recent takeover of the government there and the pullout of Western-backed military forces," according to the analysis. "Based on forensic evidence, Cisco Talos assesses with moderate confidence that this was used to target the previous Afghan government."
Turla has been active since the mid-1990s and is one of the oldest operating advanced persistent threat groups that have links to Russia's FSB - formerly KGB - according to a study published in February by security researchers at VMware. The group, which typically targets government or military agencies, is also called Belugasturgeon, Ouroboros, Snake, Venomous Bear and Waterbug and is known for constantly changing techniques and methods to avoid detection.
"Through the years, researchers have observed that Turla continues to advance their methods and operations - most prominently, the clandestine techniques that were leveraged to exfiltrate sensitive data and operationalize compromised infrastructure," according to the VMware report, which includes Turla in a list of Russian-backed APT groups that includes APT28, APT29 and Sandworm.
In the secondary backdoor that Cisco Talos uncovered, Turla disguises the malware as a legitimate Microsoft file that is named "Windows Time Service." That file allows the malicious code to run in the background and blend in with legitimate apps on a compromised device.
"This is a good example of how easy malicious services can be overlooked on today's systems that are clouded by the myriad of legit services running in the background at all times," according to Cisco Talos. "It's often difficult for an administrator to verify that all running services are legitimate. It is important to have software and/or automated systems detecting unknown running services and a team of skilled professionals who can perform a proper forensic analysis on potentially infected systems."
While the Cisco Talos researchers discovered TinyTurla, it's not clear from the analysis exactly how the attackers initially install the backdoor within a compromised device.
Once the initial compromise step is complete, however, the attackers use a .BAT file to install the backdoor within a device. As mentioned previously, the malware is disguised as a dynamic link library that is similar to the w32time.dll file - a legitimate Windows Time Service, according to the report.
The TinyTurla backdoor itself has limited functionality, and it's mainly designed to download, upload and execute files. Once installed, the malware will attempt to contact the attackers' command-and-control server over an HTTPS encrypted channel and will continue to contact that server every five seconds to check for new instructions, according to the report.
Besides functioning as a backdoor, TinyTurla can act as a dropper to allow the attackers to install other malicious code within an infected device. Since this secondary backdoor does not have a large footprint and blends in with other background files, security tools can overlook the malware, according to Cisco Talos.
"It is not easy for anti-malware systems to detect it as malware. We found evidence in our telemetry that this software has been used by adversaries since at least 2020," the report notes.
The Cisco Talos researchers were able to attribute the TinyTurla backdoor to Turla since the group used infrastructure deployed in previous attacks.
Over the years, numerous researchers have traced Turla's various cyberespionage as well as the tools and techniques the group uses. In February, for example, Palo Alto Networks' Unit 42 found the APT deploying an IronPython-based malware loader called "IronNetInjector" as part of a campaign (see: Russian Hacking Group Deploys IronPython Malware Loader).
In January, researchers with Kaspersky published a report that found similarities between the Sunburst backdoor used during the SolarWinds supply chain attack and another malware variant called Kazuar, which had been previously attributed to Turla by researchers (see: Kaspersky: SolarWinds Backdoor Similar to Russian 'Kazuar').
The Biden administration officially attributed the SolarWinds attack to the Russian Foreign Intelligence Service, or SVR, in April and specifically to the group called APT29 or Cozy Bear. The Kaspersky report noted that over the years, there have been links and code overlap between APT29 and Turla.