The Russia-linked risk actor often called Turla has been noticed utilizing a brand new backdoor referred to as TinyTurla-NG as a part of a three-month-long marketing campaign concentrating on Polish non-governmental organizations in December 2023.
“TinyTurla-NG, identical to TinyTurla, is a small ‘final likelihood’ backdoor that’s left behind for use when all different unauthorized entry/backdoor mechanisms have failed or been detected on the contaminated methods,” Cisco Talos stated in a technical report printed at present.
TinyTurla-NG is so named for exhibiting similarities with TinyTurla, one other implant utilized by the adversarial collective in intrusions aimed on the U.S., Germany, and Afghanistan since not less than 2020. TinyTurla was first documented by the cybersecurity firm in September 2021.
Turla, additionally identified by the names Iron Hunter, Pensive Ursa, Secret Blizzard (previously Krypton), Snake, Uroburos, and Venomous Bear, is a Russian state-affiliated risk actor linked to the Federal Safety Service (FSB).
In latest months, the risk actor has singled out the protection sector in Ukraine and Japanese Europe with a novel .NET-based backdoor referred to as DeliveryCheck, whereas additionally upgrading its staple second-stage implant known as Kazuar, which it has put to make use of as early as 2017.
The newest marketing campaign involving TinyTurla-NG dates again to December 18, 2023, and is claimed to have been ongoing up till January 27, 2024. Nevertheless, it is suspected that the exercise might have really commenced in November 2023 primarily based on the malware compilation dates.
It is presently not identified how the backdoor is distributed to sufferer environments, nevertheless it has been discovered to make use of compromised WordPress-based web sites as command-and-control (C2) endpoints to fetch and execute directions, enabling it to run instructions by way of PowerShell or Command Immediate (cmd.exe) in addition to obtain/add recordsdata.
TinyTurla-NG additionally acts as a conduit to ship PowerShell scripts dubbed TurlaPower-NG which might be designed to exfiltrate key materials used to safe the password databases of fashionable password administration software program within the type of a ZIP archive.
The disclosure comes as Microsoft and OpenAI revealed that nation-state actors from Russia are exploring generative synthetic intelligence (AI) instruments, together with massive language fashions (LLMs) like ChatGPT, to know satellite tv for pc communication protocols, radar imaging applied sciences, and search assist with scripting duties.