The Russia-linked threat actor Turla infected multiple systems of an unnamed European non-governmental organization (NGO) in order to deploy a backdoor called Turla. TinyTurla-NG.
“As part of their initial post-compromise actions, the attackers compromised the first system, established persistence, and added exclusions to the antivirus products running on these endpoints,” Cisco Talos said in a new report released today. Part of it.”
“Turla then opened additional communication channels through Chisel for the data exfiltration and redirection to other accessible systems in the network.”
There is evidence that infected systems were compromised as early as October 2023, Chisel was deployed in December 2023, and a data exfiltration occurred through the tool a month later (around January 12, 2024).
TinyTurla-NG was first documented by the cybersecurity firm last month after it was found to be linked to cyberattacks against a Polish NGO working to improve democracy in Poland and support Ukraine during the Russian invasion .
Ciscotalos told The Hacker News at the time that the campaign appeared to be highly targeted, targeting a small number of organizations, most of which were based in Poland.
The attack chain involves Turla using its initial access rights to configure Microsoft Defender antivirus exclusions to evade detection and delete TinyTurla-NG, and then persist it by creating a malicious “sdm” service disguised as the “System Device Administrator” service the service.
TinyTurla-NG acts as a backdoor to conduct subsequent reconnaissance, exfiltrate files of interest to a command and control (C2) server, and deploy a customized version of the Chisel tunneling software. The exact route of entry is still under investigation.
“Once the attackers gain access to a new box, they repeat the campaign of creating Microsoft Defender exclusions, removing malware components, and creating persistence,” Talos researchers said.
