[MART] - Daily Diary #352 - TinyTurla, A New Malware Deployed By APT Turla

CTAS-MAT ctas-mat at appgate.com
Tue Sep 21 18:23:44 UTC 2021


Hello,

I hope everyone is doing well!

Below is the entry for today.

09/21/2021 - Diary entry #352:


Briefly mentioned in our Daily Diary #159, the Turla APT is a Russian spy group known for using a Windows API feature called Named Pipes to exchange information and send commands between its malware modules. Recently, a new backdoor used by the group was discovered targeting the U.S., Germany, and Afghanistan.


Named TinyTurla, this new malware acts as a stealth second-chance backdoor. It means that even if the primary malware is removed, TinyTurla is capable of maintaining access to infected devices. Additionally, it can be used as a second-stage dropper due to its capabilities to download, upload and execute files.


Once installed by a .bat file as a service DLL called w64time.dll, the backdoor is executed hidden in the svchost.exe process. This DLL mimics a Windows legitimate service named "Windows Time Service" located in "System32\w32time.dll". First, the backdoor reads its configuration from the registry. Then, it authenticates itself at the C2 server and contacts it via HTTPS every five seconds to check if there are new commands from its operator.


TinyTurla is a simple lightweight threat disclosed recently, but it has been used since at least 2020 by the group. It can be overlooked since it is disguised as a legitimate service. So it is important that a system should have in addition to anti-malware solutions, network-based signatures and protections detecting unknown running services.


This trojan is a great example that when an infection is discovered in one system, it must be completely formatted or restored into a state prior to the infection. Just removing the threat might be enough to stop most attacks, but even skillful analysts might miss hidden additional pieces of malware.


Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210921/6adf5930/attachment.htm>


More information about the MART mailing list