Keypoints
- TinyTurla-NG (TTNG) is a new Turla backdoor, similar in coding style to TinyTurla, used as a small “last chance” implant when other access methods fail or are detected.
- The campaign targeted Polish NGOs (at least one supporting Ukraine) and was active from at least Dec 18, 2023 through Jan 27, 2024, with compilation dates suggesting activity as early as Nov 2023.
- Operators used compromised WordPress sites (vulnerable versions) to host PHP-based C2 scripts (e.g., rss-old.php, block.old.php) and logging/data directories for C2 operations.
- TTNG is implemented as a service DLL started via svchost.exe; it spawns threads synchronized with Windows events to register (“Client Ready”), poll for tasks, and execute commands via PowerShell or cmd.exe.
- Turla deployed TurlaPower-NG PowerShell scripts to archive target files (ZIP named by GUID), explicitly seeking password-manager key material, and exfiltrated archives and logs to C2 via HTTP/S POST.
- Backdoor commands include administrative and file operations (e.g., timeout, changeshell, changepoint, get, post, killme); “killme” drops a BAT that removes a CLSID registry key (COM hijacking) and restarts explorer.exe to affect persistence cleanup.
MITRE Techniques
- [T1543.003] Create or Modify System Process: Windows Service – TTNG is implemented as a “service DLL, which is started via svchost.exe.” (‘service DLL, which is started via svchost.exe.’)
- [T1059] Command and Scripting Interpreter – TTNG executes tasks using cmd.exe or PowerShell and uses cmd/Powershell constructs such as ‘chcp 437 > NUL’ and ‘Set-PSReadLineOption -HistorySaveStyle SaveNothing’ to control shells and avoid history logging. (‘Set-PSReadLineOption -HistorySaveStyle SaveNothing’)
- [T1071.001] Application Layer Protocol: Web Protocols (HTTP/S) – C2 and data transfers use HTTP/S endpoints hosted on compromised WordPress sites for beaconing and task delivery. (‘sending a campaign identifier (“id”) and the message “Client Ready”’)
- [T1190] Exploit Public-Facing Application – Adversary compromised WordPress sites (vulnerable versions) to upload PHP C2 scripts such as rss-old.php and block.old.php for remote control. (‘compromised WordPress-based websites as command and control endpoints (C2)’)
- [T1560.001] Archive Collected Data: Archive via ZIP – TurlaPower-NG recursively archives target files into a .zip named by a generated GUID before exfiltration. (‘.zip extension whose name is generated on the fly by generating a new GUID’)
- [T1041] Exfiltration Over C2 Channel – Archived data and activity logs are exfiltrated to C2 using HTTP/S POST requests. (‘The archive file is then exfiltrated to the C2 using HTTP/S POST requests along with a log’)
Indicators of Compromise
- [Hashes] TTNG samples – 267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b, d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40
- [Domains] Compromised C2 hosts – hanagram[.]jp, thefinetreats[.]com, and 4 more domains (caduff-sa[.]ch, jeepcarlease[.]com, buy-new-car[.]com, carleasingguru[.]com)
- [C2 filenames] PHP C2 script names observed – rss-old.php, block[.]old.php (also rss[.]old[.]php)
- [Logs / C2 structure] C2 log files and directories – _log.txt (beacons), result.txt (messages from TTNG), tasks.txt (commands issued)
- [Registry key] Persistence-related registry artifact – HKEY_CURRENT_USERSoftwareClassesCLSID{C2796011-81BA-4148-8FCA-C6643245113F} (deleted by BAT during killme)
TinyTurla-NG (TTNG) is delivered as a service DLL launched under svchost.exe; its ServiceMain initializes configuration and an event object, then starts a main thread that spawns two worker threads (via CheckOSVersion_StartWorkerThreads). Thread one performs environment checks (PowerShell and Windows versions), registers the host with the C2 by sending a hardcoded eight-character “id” and the message “Client Ready,” and polls the C2 for tasks (gettask_loop). Thread two waits on the Windows event signaled by thread one to execute received tasks. Commands are executed either through cmd.exe (preceded by chcp 437 > NUL) or piped into PowerShell.exe; when using PowerShell the implant runs Set-PSReadLineOption -HistorySaveStyle SaveNothing to avoid saving history.
Operators used multiple compromised WordPress sites (various vulnerable versions) to host PHP-based C2 scripts (names like rss-old.php, rss.old.php, block.old.php) and to store logging and exfiltrated data. TTNG accepts direct execution tasks (e.g., running a binary) and a set of management/file commands including timeout (adjust sleep interval), changeshell (switch between cmd/PowerShell), changepoint (return command results and administrative logs), get (HTTP GET to fetch files to disk), post (HTTP POST to upload files), and killme (create and execute a BAT that removes artifacts and a CLSID registry key to affect COM persistence cleanup). The BAT template deletes the DLL and a registry CLSID under HKCUSoftwareClassesCLSID and then restarts explorer.exe.
TTNG also writes TurlaPower-NG PowerShell scripts to targets to perform targeted file collection: the scripts recursively enumerate specified paths, exclude .mp4 files, archive matching files into a .zip file named by a generated GUID, and POST the archive plus an activity log to the C2. The C2 infrastructure maintains per-identifier log directories and files (_log.txt, result.txt, tasks.txt) to track beacons, received messages, and issued commands; TTNG samples include two hardcoded C2 URLs each and used multiple C2 servers during the observed campaign. Detection should focus on service DLLs launched by svchost, unusual HTTP POST exfiltration of ZIP archives, execution of PowerShell scripts that enumerate and ZIP credential-related files, and writes to the listed C2 PHP endpoints and log files.
Read more: https://blog.talosintelligence.com/tinyturla-next-generation/