Keypoints
- Turla infected multiple systems in a European NGO environment and followed a repeatable playbook across hosts.
- Early post-compromise actions include adding Microsoft Defender exclusions for paths used to host implants to evade detection.
- Persistence is achieved via BAT files that register registry entries and create a masquerading Windows service named “sdm” that loads a TTNG DLL via svchost.exe.
- TinyTurla-NG performs local reconnaissance, stages files to a temporary directory, and deploys a custom Chisel beacon for C2 communication.
- Chisel establishes reverse-proxy tunnels to attacker-controlled servers (beaconing hourly) and was used to pivot to other systems alongside WinRM, proxy chains, and evil-winrm.
- The majority of data exfiltration occurred over the Chisel C2 channel on Jan 12, 2024; IoCs including file hashes, domains, and an IP address were published.
MITRE Techniques
- [T1566] Spearphishing – Initial access was likely achieved via phishing or exploitation (‘likely through spearphishing or exploiting vulnerabilities.’)
- [T1562.001] Impair Defenses: Disable or Modify Tools – Turla added Microsoft Defender exclusions to host implant files (‘Turla adds exclusions in the anti-virus software, such as Microsoft Defender, to locations they will use to host the implant on the compromised systems.’)
- [T1543.003] Create or Modify System Process: Windows Service – Persistence created using batch files and a service named “sdm” pointing at a TTNG DLL (‘The batch files create a service on the system to persist the TTNG DLL on the system.’)
- [T1573.002] Encrypted Channel: Asymmetric Cryptography – Chisel set up reverse-proxy tunnels to attacker-controlled boxes for secured C2 communication (‘Chisel will set up a reverse proxy tunnel to an attacker-controlled box.’)
- [T1021] Remote Services – Attackers pivoted via the Chisel connection and used WinRM/evil-winrm and proxy chains to establish remote sessions (‘the attackers leveraged the chisel connection … to pivot to other systems in the network’ and ‘used tools such as proxy chains and evil-winrm to establish remote sessions.’)
- [T1041] Exfiltration Over C2 Channel – Data exfiltration primarily occurred over the Chisel C2 channel on Jan 12, 2024 (‘Turla conducted the majority of their data exfiltration using Chisel much later on Jan. 12, 2024.’)
Indicators of Compromise
- [Hashes] observed in Talos reporting – 267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b, d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40, and 3 more hashes
- [Domains] attacker infrastructure / C2 – hanagram[.]jpthefinetreats[.]com, caduff-sa[.]chjeepcarlease[.]com, and 2 more domains
- [IP Addresses] observed C2 endpoint – 91[.]193[.]18[.]120
- [File names/paths] persistence and payloads – dcmd.dll, C:WindowsSystem32, and service name “sdm”
After initial access (likely spearphishing or exploitation), the attackers modified Microsoft Defender exclusions for target paths (for example adding C:WindowsSystem32 to Defender exclusions) to prevent detection of files they would use to host the implant. They dropped TinyTurla-NG components and used BAT scripts that both add registry entries (e.g., HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSvchost /v sysman …) and call sc create to register a service named “sdm” which points svchost.exe at a TTNG DLL (dcmd.dll), thereby achieving persistence via a malicious Windows service.
When the service is started, svchost loads the TTNG DLL, which performs directory reconnaissance, stages files to temporary directories, and deploys a custom-built Chisel beacon. Chisel establishes a reverse-proxy tunnel to attacker-controlled C2 servers (an encrypted asymmetric channel) and beacons hourly. Talos observed the chisel connection being used to pivot; operators combined it with WinRM, proxy chains, and tools like evil-winrm to obtain remote shells and move laterally within the network.
Turla repeated the same sequence on newly accessed hosts: create Defender exclusions, drop malware, and create service-based persistence. The majority of bulk exfiltration was conducted over the Chisel C2 channel on Jan 12, 2024. Defenders should monitor for the published hashes and domains, the IP 91.193.18.120, registry changes to Svchost entries (sysman/sdm), presence of dcmd.dll under System32, hourly Chisel beaconing, and unexpected WinRM sessions that may indicate proxy chaining or evil-winrm activity.