Skip to content Skip to footer

Turla Backdoor TinyTurla-NG Used in European NGO Cyber Attack

A recent report published by revealed that the Russia-linked known as Turla has targeted yet another non-governmental organization (NGO) in Europe. The actor infected several systems belonging to the organization to deploy a called TinyTurla-NG (TTNG).

The attackers first compromised one of the NGO's systems, establishing persistence, and then added exclusions to antivirus products running on these endpoints as part of their preliminary post-compromise actions. This allowed them to bypass detection and move on to opening additional channels of communication via Chisel for data exfiltration and to pivot to additional accessible systems in the network.

According to evidence gathered by , the infected systems were breached as early as October 2023. Chisel was deployed in December 2023, and data exfiltration occurred via the tool a month later, around January 12, 2024.

The company first documented TinyTurla-NG last month after it was found to be used in connection with a targeting a Polish NGO working on improving Polish democracy and supporting Ukraine during the invasion. The campaign is highly targeted and focused on a small number of organizations, most of which are in Poland.

The attack chain involves Turla exploiting their initial access to configure Defender antivirus exclusions to evade detection and drop TinyTurla-NG, which is then persisted by creating a malicious “sdm” service that masquerades as a “System Device Manager” service. TinyTurla-NG acts as a to conduct follow-on reconnaissance, exfiltrate files of interest to a (C2) server, and deploy a custom-built version of the Chisel tunneling software. The exact intrusion pathway is still being investigated.

This attack highlights cybercriminals' growing sophistication, persistence, and ability to infiltrate even the most secure systems. Organizations must remain vigilant and take all necessary measures to protect their networks and data from such attacks.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

We exist without nationality, skin color, or religious bias.Agent Bob

Deitasoft © 2024. All Rights Reserved.