October 8

Ransomware: 5 Things to Know About TinyTurla – A hidden backdoor key.

Bad actors ‘Hackers’ in many cases now install a backdoor-as-a-service including – ‘TinyTurla Windows Time Service’.

Paying a ransom to cybercriminals is painful. But what if the ‘thing’ they installed to freeze your system never actually left your network …even after you’ve paid. 

In CRINTEL’s previous blog “Ransomware Attack: What happens after you pay? (It’s scary!)” it was mentioned that paying a ransom doesn’t necessarily secure your safety.

As a business owner, it’s important to know about the latest cyber risks that may disrupt your business success and long-term goals.

Five things you need to know about ‘TinyTurla’:

1. Involved in the recent havoc in Afghanistan

This Russian-linked group ‘Turla APT’ is deploying this secondary backdoor to numerous targets. For the past two years, this newly discovered backdoor, TinyTurla, targets organisations in Germany and the US. 

Apparently, it was even used to penetrate and compromise agencies and organisations in Afghanistan just before it was taken over by the Taliban.

Cisco Talos reported that it only came to their attention when the malware attacked Afghanistan before the Taliban took over control of the country. Its goal is to remain present on the previously infected devices.

2. It has been here since the mid-90s

It may be tagged as ‘newly discovered’ but the origin of the TinyTurla, Turla, has been in existence since the 1990s. In fact, it’s one of the oldest threat groups that is reportedly related to Russia. 

How? It’s been operating with links to the FSB (formerly known as the KGB). The main goal of this Turla group is to target military agencies, government agencies, and other organisations.

Like many other cyber threats, this group of bad actors changes and innovates their tactics to avoid detection and keep up with the precautions invented to stop them.

Turla - Other related Groups
Other related groups to Turla

According to a VMWare report,  researchers saw that Turla consistently advances its methods and operations to exfiltrate sensitive information and ultimately paralyse or destroy infrastructure or network.

Turla is also grouped together with those other Russian-backed APT groups such as APT29, Sandworm, and APT28.

3. It’s very persistent

Turla acts as malware disguised as a legitimate Microsoft file called ‘Windows Time Service’[w32time.dll file] that runs a malicious code. It will then continue to run to blend in with other apps installed in the infected devices. It’s often overlooked due to its silent existence.

Turla acts as malware disguised as Windows Time Service
Turla acts as malware disguised as ‘Windows Time Service’

Since it’s riding on the backs of legitimate services running on the device at all times, it’s a serious challenge for an administrator to detect it. It needs a special group of teams who can perform skilled and applicable forensic analysis using software/systems to detect this kind of malware.

Because of the mysterious nature of its movements, even after Cisco Talos researchers discovered TinyTurla, it’s not really clear as to how the attackers were able to initially install the backdoor in the infected device.

After the initial installation, the attackers will use a .BAT file to now allow the backdoor inside the device’s systems. As mentioned earlier, it stays inside a system once it was previously compromised.

If your device or system has been compromised in the past, the persistent danger TinyTurla poses is exponential. Adding its technique of blending with legitimate apps in the background makes it a persistent danger to infested devices.

4. It has limited functionality

The TinyTurla backdoor, as difficult as it is to track, has its own limitations in functionality. It’s main task is to:

  • Download files
  • Upload files
  • Execute files

Based on the report, upon installation, the malware then contacts the hackers’ server using an HTTPS encrypted channel.

The contact to the attackers’ command-and-control server occurs every five seconds to check for the newest commands.

Aside from being a backdoor, TinyTurla allows the attackers to install other malicious codes in the device. Because it blends well with the other background files, it cannot be easily detected, making it difficult for security tools to uncover it or overlook this malware.

5. It affects Small businesses right through to the biggest corporations and Government.

Through years of research, it’s been found that there are several cyber heists performed by Turla using its techniques and tools. Some of these cyber-attacks include:

  • The Palo Alto Networks’ Unit 42 – APT was found deploying an IronPython-based malware loader called “IronNetInjector”
  • The SolarWinds supply chain attack (backed by Sunburst backdoor and a malware called Kazuar)

These backdoor threats are known to be of Turla origin. The US government already sanctioned the Russian Foreign Intelligence Service with regards to the SolarWinds cyberespionage impacting customers, disinformation campaign in the 2020 U.S elections, and even nine federal agencies.

SolarWinds Cyberespionage
SolarWinds Cyberespionage

The US government specifically called out the existence of APT29 or Cozy Bear, backed by The Kaspersky’s report that APT29 and Turla are linked over the years. 

If Turla was able to sift through SolarWinds supply chain, wouldn’t it be more damaging if your business is the one they target next?

Devices that are compromised are what they prey on. Just because you paid a ransom, it doesn’t mean hackers will be decent enough to leave you alone.

How is this related to you and your business?

A ransomware attack doesn’t end when paid. Being victimised by one, you may also expose your business to more threats – bad actors that are as vicious and quiet like TinyTurla or many other malware the Turla groups disperse.

Usually prior to the ransom request being made, a backdoor sleeper code has already been installed to allow for faster re-entry.

To confuse your IT consultant and cybersecurity teams tasked with securing your system, often multiple instances including ‘TinyTurla Windows Time Service’ are inserted with some playing a sacrificial role to ‘trick’ the consultant into thinking he has found all the backdoor sleeper codes.

Still, the best thing to do is to be extra vigilant and careful to avoid falling in the hands of cybercriminals.

Knowing the dangers around your business and its success is of high importance.

The most common initial compromise is getting access to your business credentials and having hackers sell them on the dark web.

Gaining access to your business credentials can launch the next attack and once a device is infected, malware like TinyTurla may start ruining your network, devices, and operations in an endless loop.

This is why businesses, small and large, are investing in Cyber Intelligence solutions, like CRINTEL to act as a double-check for their cybersecurity teams.

CRINTEL helps SMEs deal with the dangers of the Dark Web

CRINTEL – Cyber Risk Intelligence is a Private Intelligence Agency (PIA) that specialises in Cyber Threat and Risk Intelligence originating from the Dark Web. 

We work as a co-managed solution to support and provide your internal team and external IT cybersecurity advisors with 24/7 live monitoring of the dark web.

Our Threat Intelligence Units (TIUs) monitor your business domain, email addresses and key suppliers – looking for exposed credentials that we can find about your business and suppliers – that are up for sale on the dark web. 

Our enterprise-level cyber intelligence systems, used by Fortune 500 companies, are supported by human operatives and collect live dynamic data that is scanned or sourced from live dark web forums leveraging multiple sources in real-time 24/7, 365 days per year.

Are your business credentials up for sale on the dark web? 

Dark Web Monitoring

Get started with Crintel FREE today! Request a complimentary Cyber Intelligence Report here.

NOTE: As this article is sourced from one or more third parties we cannot guarantee the information is correct and suggest if you are relying on this information, for whatever reason, then you should first do your own research. Click here to learn more about how CRINTEL can help your business.

Sources:

https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/ironrain092221.pdf

https://www.govinfosecurity.com/us-sanctions-russia-over-solarwinds-attack-election-meddling-a-16411

https://blog.talosintelligence.com/2021/09/tinyturla.html

CNBC: https://www.youtube.com/watch?v=jxTxGlE9X5s


Tags

Cyber Threat Intelligence, Cyber Threats, Dark Web, Ransomware, Ransomware Attacks, TinyTurla


You may also like

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}
>