Russias Turla APT Abuses MSBuild to Deliver TinyTurla Backdoor

  /     /     /  
Publicated : 23/11/2024   Category : security


Russias Turla APT Abuses MSBuild to Deliver TinyTurla Backdoor


A threat campaign luring users with malicious documents related to human rights and public notices is aimed at giving the Russia-backed threat group access to victims systems for cyber-espionage purposes.



A Russia-linked advanced persistent threat (APT) group has been abusing PDF and MSBuild project files in a campaign that uses socially engineered emails to deliver the TinyTurla backdoor as a fileless payload. The campaigns seamless delivery routine is a notable evolution in sophistication, researchers said.
Researchers from Cyble Researchers and Intelligence Labs (CRIL) identified the campaign, which uses emails with documents pitching invitations to human rights seminars or providing public advisories as a lure to infect users with TinyTurla. In
a blog post
published yesterday on the campaign, they said the attackers also impersonate legitimate authorities in an effort to lure victims in.
When targeted individuals mistakenly believe this to be a legitimate invitation or advisory and open it, they could inadvertently install a tiny backdoor into their system, according to the post. Attackers then can use the backdoor to execute commands from a command-and-control (C2) server that they control and infiltrate the victims system.
The campaign — which targets individuals and entities in the Philippines — demonstrates attacker sophistication by embedding lure PDFs and
MSBuild project files
within .LNK files for seamless execution, according to CRIL. The attacker also executes the project files using the Microsoft Build Engine (MSBuild) to deliver a stealthy, fileless final payload, according to the post.
The TinyTurla backdoor is linked to a long-running Russia-sponsored threat actor,
Turla,
that typically
targets NGOs
, particularly those with connections to supporting Ukraine, the researchers noted. They believe the group is behind the malicious activity, according to the post.
Code observed by the researchers, the content of the emails, and other tactics also point to the APT. The utilization of basic first-stage backdoor functionalities, coupled with the exploitation of compromised Web servers for their C2 infrastructure, aligns with the behavior exhibited by the Turla, according to the post.
Turla also is known to deploy PHP-based C2s within specific directories of compromised websites, which is a behavior also observed in the campaign.
As mentioned, the campaign begins with spam emails that include a document either inviting someone to a human rights seminar or impersonating the Philippine Statistics Authority with a public advisory. The latter was discovered and
shared
on the social-media platform X by security researcher Simon Kenin, according to CRIL.
When a victim clicks on a document — which is actually a malicious .LNK file — it triggers the execution of a PowerShell script embedded within that kicks off a series of operations. These include reading the content of the .LNK file and writing it into three distinct files — a lure PDF, encrypted data, and a custom MSBuild project — in the %temp% location. The MSBuild project executes to open the lure document.
This MSBuild project contains code to decrypt the encrypted data, which is then saved in a %temp% location with the .log extension, according to the post. Subsequently, this .log file, also an MSBuild project, is scheduled to be executed using MSBuild.exe through Task Scheduler to carry out backdoor activities.
TinyTurla manages its operations by using multiple threads, each of which are designed to execute specific tasks. The shell enables the backdoor to execute commands on the victims machine by creating a new process to run the specified command within that process. The sleep operation allows attackers to dynamically adjust the sleep interval of the backdoor.
Other operations the backdoor executes are an upload operation that allows it to download a file from the C2 server and save it locally on the victims machine, and a download operation that can exfiltrate files from the victims machine to the C2 server.
By coordinating these diverse operations, the backdoor functions as a versatile tool for [the threat actors], according to the post. It allows them to carry out subsequent malicious activities while avoiding detection and enhancing their control over compromised systems.
Though the campaigns impersonation of legitimate files and seamless deployment routine makes it difficult to detect, there are several ways defenders can avoid compromise, the researchers suggested.
As the entry point of the campaign comes in the form of spam emails, deploying strong email-filtering systems can identify and prevent the dissemination of harmful attachments. Further, organizations should advise employees to exercise extreme caution when handling email attachments or links, particularly those from unknown senders.
Regarding the campaigns abuse of MSBuild, organizations can limit the use of this tool to authorized personnel or specific systems, which will reduce the risk of unauthorized usage by threat actors, according to CRIL. Indeed, a Russia-based APT also abused this tool in the infamous
Zerologon campaign
several years ago.
Defenders also should consider disabling or limiting the execution of scripting languages, such as
PowerShell
, on user workstations and servers if they are not essential for legitimate purposes, researchers noted.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Russias Turla APT Abuses MSBuild to Deliver TinyTurla Backdoor