Threat Research

TinyTurla-NG in-depth tooling and command and control analysis

Talos

Cisco Talos and CERT.NGO analyzed Turla’s TinyTurla-NG campaign, revealing a PHP-based C2 hosted on compromised WordPress sites that provides a web shell and a task/result-based protocol for implant communication. The report details three modular PowerShell workflows for reconnaissance, staging and exfiltration, plus additional tooling including a modified Chisel reverse SOCKS proxy, a browser credential harvester, and a privilege‑impersonation binary. #TinyTurla-NG #Chisel

Keypoints

  • Talos and CERT.NGO recovered a PHP C2 script that serves TinyTurla-NG implants and provides a base64-decoded web shell via a special COOKIE value.
  • The C2 supports an “id” parameter for implant communication and implements task/result file mechanics (task, gettask, result, getresult) to hand commands and collect outputs.
  • Operators used three sets of PowerShell commands for file enumeration, copying files to C:WindowsTemp, and final exfiltration (TurlaPower‑NG).
  • Talos identified three additional modules deployed by TTNG: a modified Chisel client (reverse SOCKS proxy), PowerShell credential-harvesting scripts, and a privilege-impersonation executable for elevated command execution.
  • The Chisel sample contains embedded C2 URL/port and a client TLS certificate; it establishes R:5000:socks back to 91[.]193[.]18[.]120:443.
  • Browser login data (Edge/Chrome) are collected and archived by edgeparser.ps1 and staged for exfiltration.
  • Operators favor HTTPS and compromised legitimate websites as C2 to blend traffic and avoid direct server access like SSH.

MITRE Techniques

  • [T1505.003] Web Shell – PHP C2 provides a web shell by decoding and executing a cookie value (‘…it will base64 decode the value of the $_COOKIE … and execute it on the C2 server as a command.’)
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 and implant communication occur over HTTPS to blend with legitimate traffic (‘…communicate over HTTPS masquerading as legitimate traffic…’)
  • [T1059.001] PowerShell – Attackers issued modular PowerShell commands to TTNG for enumeration, staging and exfiltration (‘…three distinct sets of PowerShell commands issued to TTNG to enumerate, stage and exfiltrate files…’)
  • [T1083] File and Directory Discovery – Reconnaissance commands enumerate files in operator-specified directories (‘…Used to enumerate files in a directory specified by the operator.’)
  • [T1074.001] Data Staged – Files of interest are copied to a temporary staging directory (C:WindowsTemp) before exfiltration (‘…copy over files of interest … to a temporary directory, usually: C:windowstemp’)
  • [T1041] Exfiltration Over C2 Channel – Final exfiltration of selected files to the C2 servers using TurlaPower-NG scripts (‘…These scripts were used to finally exfiltrate the selected files to the C2 servers.’)
  • [T1555.003] Credentials from Web Browsers – PowerShell script extracts Edge/Chrome login data and the decryption key for archiving (‘…find login data from Microsoft Edge located at: %userprofile%AppDataLocalMicrosoftEdgeUser DataDefaultLogin Data’)
  • [T1090] Proxy – Modified Chisel creates a reverse SOCKS proxy (R:5000:socks) to the attacker-controlled host (‘…create a reverse SOCKS proxy connection to the C2 using the configuration: R:5000:socks’)
  • [T1134] Access Token Manipulation – Privilege impersonation tool spawns a cmd.exe under another process’s privileges to execute arbitrary commands (‘…impersonate the privilege level of a specified process while executing arbitrary commands…’)
  • [T1105] Ingress Tool Transfer – Additional malicious modules (Chisel, credential harvesters, privilege tool) were deployed to infected hosts via the initial TinyTurla‑NG implant (‘…use of another three malicious modules deployed via the initial implant, TinyTurla-NG, to maintain access…’)

Indicators of Compromise

  • [File hashes] Malware samples recovered – 267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b, d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40, and 3 more hashes
  • [Domains] Compromised C2/hosted sites – hanagram[.]jp, thefinetreats[.]com, and 4 more domains
  • [IP addresses] C2 infrastructure – 91[.]193[.]18[.]120 (Chisel C2 at 91[.]193[.]18[.]120:443)
  • [File names/paths] Deployed tools and scripts – C:WindowsSystem32TrustedWorker.exe (modified Chisel), C:WindowsSystem32edgeparser.ps1 (credential harvesting script)
  • [TLS certificate] Embedded client certificate details – issuer dropher[.]com, subject blum[.]com, validity Dec 7, 2023 to Dec 16, 2024 (used by modified Chisel)

Talos recovered PHP-based C2 scripts that serve both as a controller for TinyTurla‑NG/TurlaPower‑NG implants and as an administrative web shell. On load the script ensures a logging directory exists, checks for a special COOKIE ID to enable web shell behavior, and decodes/executes base64 content from a cookie via exec()/passthru()/system()/shell_exec(). When an “id” parameter is present the C2 maps form values to file-backed operations—writing task commands (task), returning tasks to implants (gettask), recording command outputs (result), providing outputs remotely (getresult), and saving/reading/removing arbitrary files (file, cat_file, rm_file)—allowing operators to feed commands and retrieve results over HTTPS without directly accessing the compromised host.

Operators used TinyTurla‑NG to run three modular PowerShell workflows: reconnaissance to enumerate files in specified directories (file and directory discovery), copy/stage files to C:WindowsTemp, and exfiltrate chosen data using TurlaPower‑NG scripts. Hardcoded target paths included NGO documents and browser profile data; Edge/Chrome login databases are collected by edgeparser.ps1, which extracts the login data and decryption key, archives them to C:WindowsTemp.zip, and stages them for exfiltration. Talos also found a privilege‑impersonation binary that spawns cmd.exe under another process’s token to execute these PowerShell tasks with elevated rights.

Separately, a UPX-compressed Go-based Chisel client (stored as C:WindowsSystem32TrustedWorker.exe) was embedded with a C2 URL, port and a client TLS certificate (issuer dropher[.]com, subject blum[.]com) and configured to create a reverse SOCKS proxy (R:5000:socks) back to 91[.]193[.]18[.]120:443, enabling remote access and lateral-use tooling. Multiple certificates and modified implants indicate variant churn; defenders should monitor for the listed hashes, domains, the IP 91[.]193[.]18[.]120, suspicious use of PowerShell for file enumeration/staging, unexpected files under C:WindowsSystem32 (edgeparser.ps1, TrustedWorker.exe), and TLS client certs matching the reported issuer/subject.

Read more: https://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint