The hacking team Turla, is back with news tools, recently used in attacks against the US, Germany and Afghanistan.
On Tuesday, the Cisco Talos said the group, of Russian origin, has developed a new backdoor for persistence and secrecy.
Named TinyTurla, the previously unknown backdoor is simple to design but suitable for specific purposes, such as dumping and avoiding detection if the main Turla malware is removed from a compromised machine.
Zoe Konstantopoulou: Developments at STE for Mr Bitcoin
Giannis Andreou LIVE: Crypto, NFT, Metaverse forecasts
LIVE: GoldDigger credential detection & PinataHub platform
LIVE: SocialTruth project - The fake news detection system
SocialTruth European project - Live interview coming soon
Interview - Zoe Konstantopoulou for Alexander Vinnik
Turla, which has been active since 2004, also known as Snake and Uroburos, is a complex business with a large list of high profile victims in its portfolio. Its previous targets include the Pentagon, government and diplomatic services, military units, research institutes and more in at least 45 countries.
Now, the APT appears to be hitting the US, Germany and Afghanistan, the latter of which was targeted before the Taliban took over the country and the Western military forces withdrew.
Talos says the malware was most likely used in attempts to breach the previous government's systems.
A sample obtained by the team revealed that the backdoor, formed as .DLL, was installed as a service on a Windows machine. The file is named w64time.dll and as there is a legitimate Windows w32time.dll, it may not immediately appear malicious.
By name "Windows Time Service", The backdoor connects to a command and control server (C2) controlled by Turla and communicates with the system via an encrypted HTTPS channel every five seconds to check for new commands or instructions.
TinyTurla is able to upload and execute files and payloads, create subprocesses and filter data. The functionality and code of the backdoor is intentionally simplistic, to prevent detection as malware.
According to Talos, the backdoor has been in use since at least 2020.
Recently, its researchers Kaspersky found code overlaps between Turla, DarkHalo / UNC2452 APT, Sunburst backdoor and Kazuar backdoor. Although there are common features between Sunburst and Kazuar, it is not possible to infer with certainty any specific relationship between the threat groups and these tools.