New details of the recently discovered TinyTurla-NG backdoor show that the implant uses the Chisel open-source attack framework as part of its post-compromise actions and uses two separate batch files to create a service for persistence on the compromised machine.
The TinyTurla-NG backdoor is a relatively new addition to the toolbox of the Turla APT group, a team that has been attributed to the Russian FSB and has been active for many years. Researchers from Cisco’s Talos Intelligence Team discovered the backdoor earlier this year and found that it had been deployed during intrusions at non-governmental organizations in Poland beginning in at least October 2023. The end goal of the intrusions is data exfiltration and credential harvesting, but the attackers also move laterally across the network during the intrusion and take other actions, as well.
“Before deploying TinyTurla-NG, Turla will attempt to configure anti-virus software exclusions to evade detection of their backdoor. Once exclusions have been set up, TTNG is written to the disk, and persistence is established by creating a malicious service. After gaining initial access, Turla first adds exclusions in the anti-virus software, such as Microsoft Defender, to locations they will use to host the implant on the compromised systems,” the Talos researchers said in a new analysis of the backdoor.
Once the implant is on a new machine, TinyTurla-NG uses the batch files to establish persistence through a Windows service called “sdm”. Once the service is created, the implant executes and then begins looking around for things of interest to the attackers.
“TinyTurla-NG is instrumented further to conduct additional reconnaissance of directories of interest and then copy files to a temporary staging directory on the infected system, followed by subsequent exfiltration to the C2. TinyTurla-NG is also used to deploy a custom-built Chisel beacon from the open-sourced offensive framework,” the researchers said.
Chisel establishes a reverse proxy connection to a remote machine that the Turla attackers control, and then they use that connection to move to other systems on the network. The systems that Talos observed with TinyTurla-NG infections were compromised in October 2023, but most of the data was exfiltrated from the systems in mid-January.
The Turla threat actors have used a wide range of tools over the years and have targeted many different types of organizations. In recent years, the group has targeted Ukrainian organizations, including defense and military organizations.