TinyTurla Spyware Keeps a Secret Backdoor on Target Devices

Cisco Talos recently discovered a new backdoor used by the group Russian Turla APT affecting countries such as Afghanistan, Germany, and the United States.

TinyTurla Spyware Keeps a Secret Backdoor on Target Devices
TinyTurla Spyware Keeps a Secret Backdoor on Target Devices | Image credits: Kaspersky

Talos discovered a previously unknown Turla APT backdoor. With this simple backdoor, you can still access the machine even after the virus that infected it has been eradicated. It might also be used as a second-stage dropper to inject malware.

The backdoor is set up as a service on the infected machine. Instead of calling the service something apparent like "Windows Time Service," they called it "Windows Time Service." The backdoor can exfiltrate or upload files via the infected system's backdoor. Every five seconds, the backdoor checks the C2 server for new orders over an encrypted HTTPS connection.
Because of its limited functionality and basic coding approach, anti-malware solutions struggle to detect this backdoor. This program has been used by enemies since at least 2020.

This spyware got researchers' attention as soon as the Taliban took power in Afghanistan before NATO left. Cisco Talos bases this on forensic evidence, satellite photography, open-source data, and other sources. This is a great example of how tough it is to ignore dangerous programs on today's clouds systems with legitimate applications always running in the background. Administrators struggle to verify the legitimacy of all running services. Proper forensic investigation of potentially infected systems requires software and/or automated systems as well as a team of qualified individuals.

Turla's malware has been enhanced

The malware checks in with C2 every five seconds. This network traffic anomaly is a great example of how a proper defense system would identify network behavior-based detection. Turla's threat is widely recognized and closely monitored by the security industry. But it appears their backdoor worked for nearly two years. This demonstrates the defense's need for improvement.

Turla's been an official actor for decades and is unlikely to leave. Malware uses complex capabilities, yet it can also use simple approaches that go unreported. Despite this, they make the same errors as everyone else. Talos has tracked Turla's noisy behaviors. During their campaigns, they access compromised servers via SSH and TOR, usually with TOR encryption. We also ascribed it to Turla because it shares infrastructure with past attacks attributed to Turla's Penguin Turla Infrastructure.