State-sponsored hackers affiliated with Russia are behind a new series of intrusions using a previously undocumented implant to compromise systems in the U.S., Germany, and Afghanistan.
Cisco Talos attributed the attacks to the Turla advanced persistent threat (APT) group, coining the malware “TinyTurla” for its limited functionality and efficient coding style that allows it to go undetected. Attacks incorporating the backdoor are believed to have occurred since 2020.
“This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed,” the researchers said. “It could also be used as a second-stage dropper to infect the system with additional malware.” Furthermore, TinyTurla can upload and execute files or exfiltrate sensitive data from the infected machine to a remote server, while also polling the command-and-control (C2) station every five seconds for any new commands.
Also known by the monikers Snake, Venomous Bear, Uroburos, and Iron Hunter, the Russian-sponsored espionage outfit is known for its cyber offensives targeting government entities and embassies spanning across the U.S., Europe, and Eastern…