The Russia-linked threat actor known as Turla has been observed using a new backdoor called TinyTurla-NG as part of a three-month-long campaign targeting Polish non-governmental organizations in December 2023.
俄罗斯相关的威胁行为者Turla在2023年12月针对波兰非政府组织进行了为期三个月的攻击活动,观察到他们使用了一个名为TinyTurla-NG的新后门。
"TinyTurla-NG, just like TinyTurla, is a small 'last chance' backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems," Cisco Talos said in a technical report published today.
"TinyTurla-NG与TinyTurla类似,是一个小型的'最后机会'后门,当所有其他未授权访问/后门机制在受感染的系统上失败或被检测到时,将留下该后门供使用。"思科塔洛斯在今天发布的技术报告中说道。
TinyTurla-NG is so named for exhibiting similarities with TinyTurla, another implant used by the adversarial collective in intrusions aimed at the U.S., Germany, and Afghanistan since at least 2020. TinyTurla was first documented by the cybersecurity company in September 2021.
TinyTurla-NG之所以被命名为TinyTurla,是因为它与这个敌对集体在至少2020年以来针对美国、德国和阿富汗的入侵中使用的另一个植入物TinyTurla有相似之处。TinyTurla在2021年9月首次由这家网络安全公司记录。
Turla, also known by the names Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, Uroburos, and Venomous Bear, is a Russian state-affiliated threat actor linked to the Federal Security Service (FSB).
Turla,又被称为Iron Hunter、Pensive Ursa、Secret Blizzard(原名Krypton),Snake、Uroburos和Venomous Bear,是与俄罗斯联邦安全局(FSB)有关的威胁行为者。
In recent months, the threat actor has singled out the defense sector in Ukraine and Eastern Europe with a novel .NET-based backdoor called DeliveryCheck, while also upgrading its staple second-stage implant referred to as Kazuar, which it has put to use as early as 2017.
近几个月来,这个威胁行为者针对乌克兰和东欧的国防部门使用了一种名为DeliveryCheck的新型基于.NET的后门,同时升级了其常用的第二阶段植入物Kazuar,该植入物早在2017年就开始使用。
The latest campaign involving TinyTurla-NG dates back to December 18, 2023, and is said to have been ongoing up until January 27, 2024. However, it's suspected that the activity may have actually commenced in November 2023 based on the malware compilation dates.
涉及TinyTurla-NG的最新活动可追溯到2023年12月18日,据称一直持续到2024年1月27日。然而,根据恶意软件编译日期,有人怀疑该活动实际上可能在2023年11月就开始了。
It's currently not known how the backdoor is distributed to victim environments, but it has been found to employ compromised WordPress-based websites as command-and-control (C2) endpoints to fetch and execute instructions, enabling it to run commands via PowerShell or Command Prompt (cmd.exe) as well as download/upload files.
目前尚不清楚如何将该后门分发到受害者环境中,但已发现它利用被入侵的基于WordPress的网站作为命令和控制(C2)终端点来获取和执行指令,从而能够通过PowerShell或命令提示符(cmd.exe)运行命令以及下载/上传文件。
TinyTurla-NG also acts as a conduit to deliver PowerShell scripts dubbed TurlaPower-NG that are designed to exfiltrate key material used to secure the password databases of popular password management software in the form of a ZIP archive.
TinyTurla-NG还充当一个传递名为TurlaPower-NG的PowerShell脚本的通道,这些脚本旨在窃取用于保护流行密码管理软件的密码数据库的关键材料,以ZIP档案的形式存在。
"This campaign appears to be highly targeted and focused on a small number of organizations, of which until now we can only confirm Poland based ones," a Cisco Talos researcher told The Hacker News, noting that the assessment is based on the current visibility.
"此次攻击活动似乎针对一小部分组织,并且目前我们只能确认它们位于波兰。"思科塔洛斯的一位研究人员告诉The Hacker News,并指出该评估是基于当前的可见性。
"This campaign is highly compartmentalized, a few compromised websites acting as C2s contact a few samples, meaning that it's not easy to pivot from one sample/C2 to others using the same infrastructure that would give us confidence they are related."
"此次攻击活动高度分隔,少数被入侵的网站充当C2,与少数样本进行联系,这意味着很难通过同一基础设施从一个样本/C2转移到其他样本/C2,这会让我们相信它们是相关的。"
The disclosure comes as Microsoft and OpenAI revealed that nation-state actors from Russia are exploring generative artificial intelligence (AI) tools, including large language models (LLMs) like ChatGPT, to understand satellite communication protocols, radar imaging technologies, and seek support with scripting tasks.
微软和OpenAI的披露显示,来自俄罗斯的国家级行为者正在探索生成式人工智能(AI)工具,包括ChatGPT等大型语言模型(LLMs),以了解卫星通信协议、雷达成像技术,并寻求在脚本编写任务上的支持。
原文始发于微信公众号(知机安全):TinyTurla-NG后门:俄罗斯Turla黑客组织针对波兰非政府组织的最新攻击工具
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论