A recent campaign orchestrated by a Russia-linked advanced persistent threat (APT) group has been uncovered, showcasing a new level of sophistication in cyber attacks. This APT group has been utilizing PDF and MSBuild project files as part of their strategy to distribute the TinyTurla backdoor through socially engineered emails. The seamless delivery approach adopted by the attackers has caught the attention of researchers for its clever execution.
Researchers from Cyble Researchers and Intelligence Labs (CRIL) were able to identify this campaign, which involves sending out emails containing documents that appear to be invitations to human rights seminars or public advisories. These emails serve as a way to entice unsuspecting victims into downloading the TinyTurla backdoor onto their systems. By impersonating legitimate authorities, the attackers aim to gain the trust of their targets and successfully infiltrate their systems.
Once a victim unknowingly installs the backdoor by opening the malicious document, the attackers gain control over the victim’s system. This allows them to execute commands remotely from a command-and-control (C2) server, giving them access to sensitive information and the ability to carry out malicious activities undetected.
The campaign primarily targets individuals and entities in the Philippines, showcasing the attacker’s sophisticated techniques in embedding lure PDFs and MSBuild project files within .LNK files for seamless execution. By leveraging the Microsoft Build Engine (MSBuild), the attackers can deliver a stealthy, fileless payload to their victims, adding another layer of complexity to their operation.
The likely culprit behind this campaign is believed to be the Turla APT, a well-established threat actor with ties to Russia. Turla has a history of targeting NGOs, particularly those associated with supporting Ukraine. The code used in this campaign, along with the tactics employed by the attackers, align closely with Turla’s modus operandi, leading researchers to attribute this malicious activity to the APT group.
From the initial spam emails to the deployment of the backdoor malware, the attackers follow a carefully orchestrated sequence of actions to compromise their targets. By disguising malicious .LNK files as legitimate documents, the attackers trick victims into executing a PowerShell script embedded within the file, kickstarting a chain of events that culminates in the installation of the TinyTurla backdoor.
The backdoor’s operations are managed through multiple threads, each designed to perform specific tasks that enable the attackers to carry out their agenda efficiently. Features like the “shell” operation allow for the remote execution of commands on the victim’s machine, while the “upload” and “download” operations facilitate the transfer of files between the victim’s system and the C2 server.
To mitigate the risk of compromise by Turla and other APTs, researchers recommend implementing robust email filtering systems to detect and block malicious attachments. Additionally, organizations should educate employees on the importance of scrutinizing email attachments and avoiding interactions with dubious senders. Limiting the use of tools like MSBuild to authorized personnel can also help reduce the risk of unauthorized access by threat actors.
By taking proactive measures such as disabling or restricting the use of scripting languages like PowerShell on user workstations and servers, defenders can enhance their defense posture against sophisticated cyber threats like the TinyTurla backdoor campaign. Stay vigilant and stay informed to stay ahead of cyber attackers.