Russia-linked cyber espionage group Turla is using the backdoor since at least 2020.
Russia-linked Turla APT group recently used a new backdoor, dubbed TinyTurla, in a series of attacks against the US, Germany, and Afghanistan.
Cisco Talos researchers who reported it stated that the threat actors are using the backdoor since at least 2020.
The attacks against entities in Afghanistan took place prior to the Taliban’s recent takeover of the government in the country and the withdrawal of all military forces of the United States and its allies. Talos speculates that the threat actors targeted the previous Afghan government.
The previously undetected backdoor is likely used by the nation-state actor as a second-chance backdoor in case if the primary Turla malware is removed. The backdoor allows attacker to maintain access to the infected system and could also be used as a second-stage dropper to deliver additional payloads.
According to the analysis report by the researchers, the adversaries installed the backdoor as a service on the infected machine. They attempted to operate under the radar by naming the service “Windows Time Service”, like the existing Windows service. The backdoor can upload and execute files or exfiltrate files from the infected system. The backdoor contacted the command and control (C2) server via an HTTPS encrypted channel every five seconds to check if there were new commands from the operator.
The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2004 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.
The researchers have not yet discovered how the TinyTurla backdoor was installed on the victim system. Threat actors used a .bat file to deliver the backdoor that comes in the form of a service DLL called w64time.dll.
The main reason why the researchers have attributed this backdoor to Turla is the fact that they used the same infrastructure as they used for other attacks that have been attributed to their Penguin Turla Infrastructure.