Threat Watch

New Backdoor Originating From APT Turla Discovered

A newly discovered backdoor named “TinyTurla” was identified as originating from APT Group Turla, also known as Snake, Venomous Bear, Uroburos, and WhiteBear, an infamous Russian-supported espionage group that has been active since 2004. Malware including Crutch, Kuzuar, and potential links to Sunburst have been attributed to Turla. The group targets organizations and government entities world-wide, such as the Afghani government infrastructure prior to the Taliban advance.

Cisco Talos identified the backdoor during its use in Afghanistan. The backdoor was identified as using the name w64time.dll while attempting to blend in with legitimate Windows Time Services. The malware uses a 5 second beacon to communicate with a C2 server and is capable of downloading, uploading, or executing files. It is crafted to evade EDR and may have been active on Turla infected systems for over 2 years as a secondary route to maintain continued access to targeted systems.

A newly discovered backdoor named “TinyTurla” was identified as originating from APT Group Turla, also known as Snake, Venomous Bear, Uroburos, and WhiteBear, an infamous Russian-supported espionage group that has been active since 2004. Malware including Crutch, Kuzuar, and potential links to Sunburst have been attributed to Turla. The group targets organizations and government entities world-wide, such as the Afghani government infrastructure prior to the Taliban advance.

Cisco Talos identified the backdoor during its use in Afghanistan. The backdoor was identified as using the name w64time.dll while attempting to blend in with legitimate Windows Time Services. The malware uses a 5 second beacon to communicate with a C2 server and is capable of downloading, uploading, or executing files. It is crafted to evade EDR and may have been active on Turla infected systems for over 2 years as a secondary route to maintain continued access to targeted systems.

Graphical user interface, text, application
Description automatically generated

ANALYST NOTES

“TinyTurla” is believed to have been used as a secondary access channel. This is typical of Advanced Persistent Threat (APT) groups sponsored by state intelligence agencies, as well as other threat groups. Multiple access routes are installed that are directly used in threat group activity, especially when the primary access route is blocked or removed. This demonstrates the importance of comprehensive scoping during Incident Response (IR). Threat actors often install or alter target systems and then move to focus their activity in other areas in order to divert attention. TinyTurla, when active, contacted its Command and Control (C2) server every 5 seconds, but blended into legitimate Windows Time Services activity. A robust defense-in-depth strategy that focuses on post-exploitation detection via MDR and threat hunting, such as the services offered by Binary Defense, are necessary in order to defend an organization in today’s threat environment.

 

 

Reference:
https://thehackernews.com/2021/09/russian-turla-apt-group-deploying-new.html https://blog.talosintelligence.com/2021/09/tinyturla.html