Pig butchering is a scalable social-engineering scam that builds trust through romantic manipulation to extract money from victims, often via crypto apps or direct transfers. The post also highlights Turla’s TinyTurla-NG backdoor and broader security and policy implications, including law enforcement actions and infrastructure warnings. hashtags: #Turla #TinyTurlaNG
Keypoints
- Romance-based social-engineering scams, known as pig butchering, start with random-text outreach and evolve into trust-building and possible romance.
- The scam chain typically ends with the victim being pressured to send money, often through fake cryptocurrency apps or other transfers.
- These schemes are expanding in scale and can involve human trafficking and coercion, causing a significant human toll beyond cybersecurity.
- FBI and other agencies have issued periodic warnings around Valentine’s Day about romance scams, citing multi-year financial losses.
- Turla APT has unveiled TinyTurla-NG with anti-virus exclusion bypass and persistence via a malicious service, targeting entities such as Polish NGOs.
- Security researchers are releasing detection content and urging education and law-enforcement action; policymakers are discussing infrastructure and encryption-related issues.
MITRE Techniques
- [T1566.003] Phishing via Service – Initial contact via messaging to initiate trust-building. Quote: ‘An unknown phone number texts or messages a target with a generally harmless message, usually asking for a random name disguised as an “Oops, wrong number!” text.’
- [T1543.003] Create or Modify System Process: Windows Service – Persistence is established by creating a malicious service. Quote: ‘persistence is established by creating a malicious service.’
- [T1562.001] Impair Defenses – Prior to deploying TinyTurla-NG, Turla will attempt to configure anti-virus software exclusions to evade detection of their backdoor. Quote: ‘Before deploying TinyTurla-NG, Turla will attempt to configure anti-virus software exclusions to evade detection of their backdoor.’
Indicators of Compromise
- [SHA-256] context – example1, example2, and other N items (if applicable)
- [MD5] context – bbc f7a68f4164a9f5f5cb2d9f30d9790, 2915b3f8b703eb744fc54c81f4a9c67f
- [Typical Filename] context – bbcf7a68f4164a9f5f5cb2d9f30d9790.vir, VID001.exe
- [Detection Name] context – Win.Dropper.Scar::1201, Win.Worm.Coinminer::1201
- [Typical Filename] context – c0dwjdi6a.dll
- [Detection Name] context – Trojan.GenericKD.33515991
- [Typical Filename] context – endpoint.query
- [Detection Name] context – W32.File.MalParent
- [Typical Filename] context – CEPlus.docm
- [Detection Name] context – Doc.Downloader.Pwshell::mash.sr.sbx.vioc
Read more: https://blog.talosintelligence.com/threat-source-newsletter-march-21-2024/