Posted on September 22, 2021 at 3:23 PM
The Turla Hacking Group has gone back to launching cyber attacks using a new sophisticated technique. The hacking group has used this technique to lodge a series of attacks on the US, Germany and Afghanistan.
A recent report filed by Cisco Talos stated that the Turla Hacking group was using a new backdoor to launch more aggressive and stealth attacks. This group is affiliated with Russian hackers, and it is known for launching advanced persistent threat (APT) attacks.
Simple but Effective Technique
The Turla hacking group has developed the TinyTurla backdoor technique that comes in a simple design. The backdoor tool can be used to launch specific kinds of attacks, such as dropping payloads and going undetected. The backdoor technique can avoid detection if it is erased from the affected device.
The Turla hacking group has been operational since around 2004. The group also goes by other names such as Snake and Uroburos. It has been linked to a series of attacks on high profile individuals and organizations. These victims include government agencies, diplomatic offices, the Pentagon, research institutions and military groups. The hackers have conducted attacks in over 45 countries.
It now seems that the hacking group has turned its attention to Afghanistan, the US and Germany. Reports state that the hacking group started targeting Afghanistan before the US and other Western military forces left the country, and the Taliban took control of the government.
Cisco Talos also stated there was a high likelihood that these hacking groups were using the backdoor malware to attempt and compromise the information technology systems of the previous government in Afghanistan.
A sample of the backdoor malware collected by the team demonstrated that it comes in the form of a .DLL. Research also stated that the backdoor was installed as a service on a Windows device. The file name will most likely be listed as w64time.dll. The file will not be automatically marked as malicious because there is another legitimate version of the malware dubbed w32time.dll.
Once the backdoor has been installed on the victim’s device, it will be linked back to the command-and-control (C2) server run and operated by the Turla hacking group. The backdoor then links up to the system using an encrypted HTTPS channel after every five seconds. The concurrent checks by the technique evaluate where there are any newly launched commands or instructions.
TinyTurla has a lot of capabilities, despite having a simple design. The technique can be used to upload and execute files and payloads. In addition, it can also launch subprocesses and export data from the device.
However, researchers have stated that the hackers could have purposefully designed the backdoor to have limited functionality. By doing this, the technique was able to avoid detection by devices as a malicious tool.
Several Factors attribute the Hacking Software to Turla
The researchers state that there were several reasons that the backdoor software is attributed to the TinyTurla hacking group. This software has been in use since around 2020, and over this time, there is evidence that it has been used to launch several attacks.
“One public reason why we attributed this backdoor to Turla is the fact that they used the same infrastructure as they used for other attacks that have been attributed to their Penguin Turla Infrastructure,” the researchers stated.
The researchers also stated that sometimes, it was hard for an administrator to authenticate all the software and services running on a device. However, they pointed out the need for software and automated systems that will detect any running services that are not known by the device.
Furthermore, a team of expert professionals is also needed to analyze devices suspected to be infected. Experts could help uncover running services that are malicious but disguising themselves as genuine.
It is not the first time when the TinyTurla backdoor malware has been detected on devices. Recently, research from the Kaspersky team detected code overlaps between the Turla backdoor and other backdoors used by other hackers such as the DarkHalo/UNC2452 APT, the Kazuar backdoor and the Sunburst backdoor.
The research also points to concrete evidence that points to features shared between the Sunburst backdoor and the Kazuar backdoor. However, research does not give any conclusive evidence that the hacking groups are linked to each other and whether they have worked together to develop the hacking tools. However, all the hacking tools are sophisticated and built to achieve a stealth manner of stealing information from compromised systems.