Russian hackers are employing TinyTurla-NG to breach systems of a European NGO
The Russia-associated threat group known as Turla infiltrated numerous systems belonging to an undisclosed European non-governmental organization (NGO) with the intention of deploying a backdoor named TinyTurla-NG.
According to a recent report by Cisco Talos, the attackers compromised the initial system, establishing persistence and implementing exclusions within antivirus software on these endpoints as part of their initial post-compromise actions.
Following this, Turla established additional communication channels through Chisel for data exfiltration and to maneuver into other accessible systems within the network.
Evidence suggests that the infiltration of the affected systems dates back to as early as October 2023, with Chisel being deployed in December 2023, and data exfiltration occurring via the tool around January 12, 2024.
TinyTurla-NG was recently identified by the cybersecurity firm following its involvement in a cyberattack targeting a Polish NGO dedicated to enhancing Polish democracy and supporting Ukraine amidst the Russian invasion.
According to Cisco Talos, the attack appears highly targeted, focusing primarily on a few organizations, predominantly situated in Poland.
The attack process entails Turla exploiting initial access to configure exclusions within Microsoft Defender antivirus to evade detection and deploy TinyTurla-NG. This is sustained by establishing a malicious "sdm" service posing as a "System Device Manager" service.
TinyTurla-NG serves as a backdoor for subsequent reconnaissance, file exfiltration to a command-and-control (C2) server, and the deployment of a customized version of Chisel tunneling software.
Upon gaining access to a new system, the attackers replicate their actions to set up Microsoft Defender exclusions, deploy malware components, and establish persistence.
For Further reference