APT-group Turla using newly discovered backdoor in attacks against the U.S.

Published 9/30/21, 9:00am

The Russian-based, advanced persistent threat (APT) group Turla is back with a newly discovered backdoor designed for persistence, stealth and file execution and exfiltration against the U.S. and other government entities. Named ‘TinyTurla,’ the backdoor appears to have been in use since 2020 and can drop payloads and remain hidden even if Turla’s primary malware is cleaned from a compromised device. A sample of the backdoor acquired by researchers is named w64time.dll, which researchers believe is an intentional attempt to obfuscate activity by using a similar name to the legitimate Windows w32time.dll file.

Past Turla targets include the Pentagon, as well as government and military organizations in 45 other countries. Researchers indicated that TinyTurla infections currently exist in the U.S., Germany, and Afghanistan. While Turla is well known to the cybersecurity community, this newer malware was only recently discovered, despite being in use for at least two years.

Turla, also known as Snake, Venomous Bear, Uroburos, and WhiteBear, is a Russian-based espionage-focused APT group, active since 2004. Other malware attributed to Turla includes Crutch and Kazuar. There are also possible links between Turla and the Sunburst SolarWinds Orion backdoor.

Next Steps

Security researchers are advising that due to the backdoor’s limited functionality and basic coding style, antimalware systems may not detect it as malware. Because the malware contacts the command and control (C2) server every five seconds, researchers suggest incorporating a behavior-based detection tactic of looking for this anomaly in the network traffic.