Turla APT Deploys New TinyTurla-NG Backdoor

At the close of 2023, specialists at Cisco Talos identified a campaign orchestrated by the group Turla APT, targeting Polish non-governmental organizations. This assault utilized a novel backdoor, TinyTurla-NG.

A distinctive feature of TinyTurla-NG is its ability to function as a backdoor, which becomes activated when other hacking methods are detected or obstructed. The documented campaign spanned from December 18, 2023, to January 27, 2024, although there is speculation that the attacks may have commenced as early as November 2023.

The virus propagation occurred through compromised WordPress sites, which served as the command and control (C2) server. TinyTurla-NG is capable of executing commands from the C2 server, uploading and downloading files, and deploying scripts to pilfer passwords from password management databases.

Furthermore, TinyTurla-NG acts as a conduit for delivering PowerShell scripts, dubbed TurlaPower-NG, designed to extract information used to safeguard databases of a popular password manager.

Experts emphasize that the campaign is concentrated on a small number of organizations, predominantly in Poland, highlighting the hackers’ prudence in complicating the analysis of malicious activity.