NGO Targeted: UNC4210 Deploys TinyTurla-NG
The cybercrime collective known as UNC4210 orchestrated an assault on the digital infrastructure of a European non-governmental organization, deploying the malign software TinyTurla-NG to establish a backdoor. This cyberattack was meticulously documented in a report published by Cisco Talos.
During this digital onslaught, the hackers compromised a system within an unnamed NGO, securing perpetual access and configuring exceptions within antivirus programs to elude detection. Subsequently, UNC4210 employed supplementary communication channels via the Chisel program to exfiltrate data and navigate to other systems within the network.
It was revealed that the initial breach occurred in October 2023, with Chisel being deployed in December 2023, and the data exfiltration taking place in January.
Throughout the attack, UNC4210 exploited its initial access to configure exclusions for Microsoft Defender, thereby dodging detection, and installed TinyTurla-NG, which was then perpetuated through the creation of a malicious service dubbed “sdm,” masquerading as “Device Manager.”
The malicious software in this instance functioned as a backdoor, enabling the cybercriminals to conduct reconnaissance, exfiltrate files to a Command and Control (C2) server, and deploy a modified version of the Chisel tunneling program. The precise method of infiltration is still under investigation.
Once the attackers gained access to a new system, they replicated their maneuvers, creating exceptions for Microsoft Defender, installing malicious software, and ensuring its sustained operation within the system.
By the end of 2023, TinyTurla-NG had been detected within the networks of Polish NGOs. At that time, Cisco Talos experts reported that the dissemination of the virus occurred through compromised WordPress sites, which served as a Command and Control (C2) server. TinyTurla-NG is capable of executing commands from the C2 server, uploading and downloading files, and delivering scripts for the theft of passwords from password management databases.