On February 15, 2024, Cisco Talos released a report detailing features of a newly identified backdoor attributed to the Russia-nexus Turla Group. According to the Talos' assessment, the backdoor appears to be a "small" implant with coding similarities to the TinyTurla backdoor, hence the name "TinyTurla-NG" assigned to the new one.
The backdoor has been observed in events targeting a Polish non-governmental organization at least since late 2023 up to late January 2024. It is believed this backdoor constitutes a residual tooling option for the Turla Group; the trojan was possibly deployed after other more complex malware became detectable by major security solutions.
The backdoor presents itself as a service dynamic link library (DLL) which starts via svchost.exe and leverages PowerShell and command prompt to execute arbitrary commands on the victim's host.
The backdoor prevents the host to log the PowerShell activity, thus attempting to reduce the attack footprint.
Persistence is created via manipulating Windows registry and file system through a batch script, ensuring the malicious DLL continues to run even after system reboots or user logouts.
The backdoor filters out files believed to be either uninteresting or too large in size to exfiltrate such as MP4 files. Targeted files are added to a ZIP archive and exfiltrated to the C2.
While Russian state-sponsored cyber threats impact Europe, on the other shore of the Atlantic, an operation of the US law enforcement disbands a network of Russia-controlled devices with capabilities to carry out espionage and other nefarious activities. On February 15, 2024, the US Department of Justice announced that, in January 2024, law enforcement neutralized a Russia-attributed botnet consisting of compromised Ubiquiti Edge OS routers. According to the press release, the Russian actor did not set up the botnet but rather acquired control of a network of devices compromised via Moobot, a Mirai variant.