Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor


Cisco Talos disclosed details of a three-month-long campaign where Russia-linked threat actor Turla has been targeting Polish non-governmental organizations with a new backdoor dubbed TinyTurla-NG. This campaign has been ongoing since December 18, 2023, with researchers suspecting that the activity may have actually commenced in November 2023 based on malware compilation dates. TinyTurla-NG shares similarities with TinyTurla, another payload that has been employed by the group to target entities in U.S., Germany, and Afghanistan since at least 2020. For its part, the new malware enables the actors backdoor access to victim environments and is capable of delivering PowerShell scripts designed to exfiltrate ey material used to secure the password databases of popular password management software, indicating Turla’s efforts to steal login credentials

Analyst Comments:
According to Cisco Talos, TinyTurla, is a small 'last chance' backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems. While the exact method of how TinyTurla is being distributed, Turla has typically compromised WordPress-based websites as C2 endpoints to host PowerShell scripts and arbitrary commands that can be executed on the victim’s machine to further deploy its various payloads and perform other malicious operations.

Suggested Corrections:
Cisco Talos has released IOCs pertinent to the latest campaign which can be used for detection purposes:

In general, Administrators of content management sites like WordPress should periodically ensure that their plugins and site themes are up to date, whenever new patches are released, as threat actors can exploit them to compromise sites, which in turn can be used to host malicious software. Making sure a strong password policy is in place and that two-factor authentication is enabled, can be crucial in preventing attackers from compromising site accounts.