• Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.
  思科 Talos 发现了一个由俄罗斯网络间谍威胁组织 Turla APT 组织编写和运营的新后门。这个我们称之为“TinyTurla-NG”（TTNG）的新后门在编码风格和功能实现上类似于Turla之前披露的植入物TinyTurla。
• Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems.
  Talos 非常有信心地评估 TinyTurla-NG 和 TinyTurla 一样，是一个小型的“最后机会”后门，当所有其他未经授权的访问/后门机制在受感染的系统上失败或被检测到时，就会被留下来使用。
• TinyTurla-NG was seen as early as December 2023 targeting a Polish non-governmental organization (NGO) working on improving Polish democracy and supporting Ukraine during the Russian invasion. 
  早在 2023 年 12 月，TinyTurla-NG 就被发现针对一个致力于改善波兰民主并在俄罗斯入侵期间支持乌克兰的波兰非政府组织 （NGO）。
• We’ve also discovered previously unknown PowerShell scripts we’re calling “TurlaPower-NG ” that are meant to act as file exfiltrators. TinyTurla-NG deployed these scripts to exfiltrate key material used to secure the password databases of popular password management software, indicating a concerted effort for Turla to steal login credentials.
  我们还发现了以前未知的 PowerShell 脚本，我们称之为“TurlaPower-NG”，旨在充当文件泄露程序。TinyTurla-NG 部署了这些脚本来窃取用于保护流行密码管理软件的密码数据库的密钥材料，这表明 Turla 窃取登录凭据的协同努力。

Talos, in cooperation with CERT.NGO, investigated another compromise by the Turla threat actor, with a new backdoor quite similar to TinyTurla, that we are calling TinyTurla-NG (TTNG). Our findings indicate that Polish non-governmental organizations (NGOs) are actively being targeted, with at least one of them supporting Ukraine. While NGOs aren’t directly involved in conflicts they frequently participate in providing aid to entities suffering through the conflicts. Aggressor parties may deem it strategically beneficial to monitor such NGOs to keep track of ongoing and potentially new aid packages for their victims.
Talos，与 CERT.非政府组织，调查了 Turla 威胁行为者的另一个妥协，其新后门与 TinyTurla 非常相似，我们称之为 TinyTurla-NG （TTNG）。我们的调查结果表明，波兰非政府组织 （NGO） 正在积极成为攻击目标，其中至少有一个支持乌克兰。虽然非政府组织不直接卷入冲突，但它们经常参与向遭受冲突之苦的实体提供援助。侵略方可能认为，对这类非政府组织进行监测，以跟踪正在向受害者提供的和可能新的一揽子援助计划，在战略上是有益的。

Turla has been widely known to target entities across the world using a huge set of offensive tools in geographies including the U.S., European Union, Ukraine and Asia. They’ve previously used malware families such as CAPIBAR and KAZUAR to target Ukrainian defense forces. After Crutch and TinyTurla, Turla has now expanded its arsenal to include the TinyTurla-NG and TurlaPower-NG malware families, while also widening its net of targets to NGOs. This activity signals the adversary’s intention to expand both their suite of malware as well as a set of targets to support Russia’s strategic and political goals.
众所周知，Turla 在美国、欧盟、乌克兰和亚洲等地区使用大量攻击性工具瞄准世界各地的实体。他们此前曾使用 CAPIBAR 和 KAZUAR 等恶意软件系列来瞄准乌克兰国防军。继 Crutch 和 TinyTurla 之后，Turla 现在已经扩大了其武器库，包括 TinyTurla-NG 和 TurlaPower-NG 恶意软件系列，同时还将目标网络扩大到非政府组织。这项活动表明，攻击者打算扩展其恶意软件套件以及一系列目标，以支持俄罗斯的战略和政治目标。

Talos identified the existence of three different TinyTurla-NG samples, but only obtained access to two of them. This campaign’s earliest compromise date was Dec. 18, 2023, and was still active as recently as Jan. 27, 2024. However, we assess that the campaign may have started as early as November 2023 based on malware compilation dates. 
Talos确定了三种不同的TinyTurla-NG样本的存在，但只获得了其中两个样本。该活动最早的妥协日期是 2023 年 12 月 18 日，直到 2024 年 1 月 27 日仍然有效。但是，根据恶意软件的编译日期，我们评估该活动最早可能在 2023 年 11 月开始。

In this campaign, Turla uses compromised WordPress-based websites as command and control endpoints (C2) for the TTNG backdoor. The operators used different websites running vulnerable WordPress versions (versions including 4.4.20, 5.0.21, 5.1.18 and 5.7.2), which allowed the upload of PHP files containing the C2 code consisting of names such as: rss-old[.]php, rss[.]old[.]php or block[.]old[.]php
在这次活动中，Turla 使用受感染的基于 WordPress 的网站作为 TTNG 后门的命令和控制端点 （C2）。运营商使用运行易受攻击的 WordPress 版本（包括 4.4.20、5.0.21、5.1.18 和 5.7.2 的版本）的不同网站，这些网站允许上传包含 C2 代码的 PHP 文件，这些代码由以下名称组成：rss-old[.]php， rss[.]旧[.]php 或 block[.]旧[.]PHP的

TinyTurla-NG uses PowerShell and a command line to run arbitrary commands
TinyTurla-NG 使用 PowerShell 和命令行来运行任意命令

During the campaign’s three-month run, different C2 servers were also used to host PowerShell scripts and arbitrary commands that could then be executed on the victim machine.
在为期三个月的活动运行期间，还使用了不同的 C2 服务器来托管 PowerShell 脚本和任意命令，然后可以在受害者计算机上执行这些脚本和命令。

Like TinyTurla, the malware is a service DLL, which is started via svchost.exe. The malware code itself is different and new. Different malware features are distributed via different threads. The malware is using Windows events for synchronization. In the DLL’s ServiceMain function, the first main malware thread is started.
与 TinyTurla 一样，该恶意软件是一种服务 DLL，它通过 svchost.exe 启动。恶意软件代码本身是不同的和新的。不同的恶意软件功能通过不同的线程分发。恶意软件正在使用 Windows 事件进行同步。在 DLL 的 ServiceMain 函数中，启动第一个主恶意软件线程。

The InitCfgSetupCreateEvent function initializes the config variables and the event which is used for synchronization later on. 
InitCfgSetupCreateEvent 函数初始化配置变量和稍后用于同步的事件。

This thread then starts two more threads via the CheckOSVersion_StartWorkerThreads function.
然后，此线程通过 CheckOSVersion_StartWorkerThreads 函数启动另外两个线程。

After checking the PowerShell and Windows versions, the first thread starts to beacon to the C2 by sending a campaign identifier (“id”) and the message “Client Ready” to register the successful infection with the C2. This is done in the C2_client_ready function in the screenshot below.
检查 PowerShell 和 Windows 版本后，第一个线程通过发送活动标识符 （“id”） 和消息“客户端就绪”开始向 C2 信标，以向 C2 注册成功感染。这是在下面屏幕截图中的 C2_client_ready 函数中完成的。

If the registration is successful, the TTNG backdoor will ask the C2 for a task to execute (gettask_loop function). The second thread, which was started by the CheckOSVersion_Start_WorkerThreads function, is responsible for executing the task command sent from the C2. It waits until the TTNG backdoor has received the response from the C2. The synchronization between the two threads is performed via the Windows event mentioned earlier. The first thread triggers the event (in the thread1_function) once it has successfully received the task from the C2.
如果注册成功，TTNG 后门将要求 C2 执行任务（gettask_loop函数）。第二个线程由 CheckOSVersion_Start_WorkerThreads 函数启动，负责执行从 C2 发送的任务命令。它会一直等到 TTNG 后门收到来自 C2 的响应。两个线程之间的同步是通过前面提到的 Windows 事件执行的。第一个线程在成功接收来自 C2 的任务后触发事件（在thread1_function中）。

The tasks can be executed either using a PowerShell or command (cmd.exe) shell. The decision is made based on the PowerShell version running on the victim machine.
可以使用 PowerShell 或命令 （cmd.exe） shell 执行这些任务。该决定是根据受害计算机上运行的 PowerShell 版本做出的。

When executing commands via cmd.exe or PowerShell.exe, TinyTurla-NG will create pipes to input and read the output of the commands. While executing commands via cmd.exe, the backdoor first executes the command chcp 437 > NULexecute to set the active console page to 437, i.e., the U.S., and then execute the commands issued by the C2. 
当通过cmd.exe或PowerShell.exe执行命令时，TinyTurla-NG将创建管道来输入和读取命令的输出。在通过cmd.exe执行命令时，后门程序首先执行命令 chcp 437 > NUL execute 将活动控制台页面设置为 437，即美国，然后执行 C2 发出的命令。

However, while executing commands via PowerShell.exe, TinyTurla-NG will additionally execute the following PowerShell cmdlet to prevent the recording of command history:
但是，在通过PowerShell.exe执行命令时，TinyTurla-NG 将额外执行以下 PowerShell cmdlet 以防止记录命令历史记录：

Set-PSReadLineOption -HistorySaveStyle SaveNothing

In addition to executing the content of the task received from the C2 directly e.g., C:\windows\system32\malware.exe, the backdoor will accept the following command codes from the C2. These command codes can be meant for administering the implant or for file management:
除了直接执行从 C2 接收到的任务内容外，例如， C:\windows\system32\malware.exe 后门将接受来自 C2 的以下命令代码。这些命令代码可用于管理植入物或文件管理：

• “timeout”: Change the number of minutes the backdoor sleeps between asking the C2 for new tasks. The new timeout is one minute multiplied by the timeout parameter sent by the C2. For example, if the C2 sends the task “timeout 10”, then the backdoor will now sleep for 10 minutes. If it is given a third parameter, the fail counter is changed, too.
  “timeout”：更改后门在向 C2 请求新任务之间的休眠分钟数。新的超时是一分钟乘以 C2 发送的超时参数。例如，如果 C2 发送任务“timeout 10”，则后门现在将休眠 10 分钟。如果为其提供第三个参数，则故障计数器也会更改。

• “changeshell”: This command will instruct the backdoor to switch the current shell being used to execute commands, i.e., from cmd.exe to PowerShell.exe, or vice versa.
  “changeshell”：此命令将指示后门切换当前用于执行命令的 shell，即从 cmd.exe 切换到PowerShell.exe，反之亦然。
• “changepoint”: This command code is used by the C2 to retrieve the result of command(s) executed on the infected endpoint. The endpoint will also return logging messages to the C2 server it has collected for administrative commands executed since “changepoint” was last issued such as:
  “changepoint”：C2 使用此命令代码来检索在受感染端点上执行的命令的结果。端点还将向 C2 服务器返回日志记录消息，该服务器已收集自上次发出“changepoint”以来执行的管理命令，例如：

[+] Short Timer changed. New Short Timeout is 1 minute

• “get”: Fetch a file specified by the C2 using an HTTP GET request and write it to the specified location on disk.
  “get”：使用 HTTP GET 请求获取 C2 指定的文件，并将其写入磁盘上的指定位置。
• “post”: Exfiltrate a file from the victim to the C2, e.g., post C:\some_file.bin.
  “post”：将文件从受害者泄露到 C2，例如 post C:\some_file.bin .
• “killme”: Create a BAT file (see below) with a name based on the current tick count. Then, use the BAT file to delete a file from the disk of the victim machine, e.g., killme <filename>. The BAT file is executed via cmd.exe /c <BAT-file-name>.bat. 
  “killme”：创建一个 BAT 文件（见下文），其名称基于当前分时计数。然后，使用 BAT 文件从受害计算机的磁盘中删除文件，例如 killme <filename> .BAT 文件通过 cmd.exe /c <BAT-file-name>.bat 执行。

The killme command generates a batch file with the content below. It is interesting to note that the backdoor DLL is essentially a service, however, the batch script deletes a registry key in HKCU\SW\classes\CLSID and restarts explorer[.]exe indicating an attempt to create persistence using COM hijacking, a tactic Turla has used in the past to establish persistence for their malware.
该 killme 命令生成包含以下内容的批处理文件。有趣的是，后门DLL本质上是一种服务，但是，批处理脚本删除了 HKCU\SW\classes\CLSID 注册表项并重新启动explorer[.]exe 表示尝试使用 COM 劫持创建持久性，这是 Turla 过去用来为其恶意软件建立持久性的策略。

Registry key deleted: 注册表项已删除：

HKEY_CURRENT_USER\Software\Classes\CLSID\{C2796011-81BA-4148-8FCA-C6643245113F}

The BAT file is created from the template where the first two “%s” are replaced with the DLL name and the last one with the name of the BAT file itself to delete both artifacts from the disk.
BAT 文件是从模板创建的，其中前两个“%s”替换为 DLL 名称，最后一个“%s”替换为 BAT 文件本身的名称，以从磁盘中删除这两个项目。

TurlaPower-NG and its exfiltration capabilities
TurlaPower-NG 及其渗透功能

Talos also discovered malicious PowerShell scripts we’re calling “TurlaPower-NG”, written to infected endpoints via the TTNG backdoor. The scripts consist of the C2 URL and target file paths. For each file path specified, the script will recursively enumerate files and add them to an archive on disk. TurlaPower-NG takes specific care to exclude files with the “.mp4” extension from being added to the archive. The attackers had a specific interest in key material used to secure the password databases and popular password management software, adding related files to the archive:
Talos 还发现了我们称之为“TurlaPower-NG”的恶意 PowerShell 脚本，这些脚本通过 TTNG 后门写入受感染的端点。脚本由 C2 URL 和目标文件路径组成。对于指定的每个文件路径，脚本将递归枚举文件并将其添加到磁盘上的存档中。TurlaPower-NG特别注意排除带有“.mp4”扩展名的文件被添加到存档中。攻击者对用于保护密码数据库和流行密码管理软件的关键材料特别感兴趣，并将相关文件添加到存档中：

The archive is a “.zip” extension whose name is generated on the fly by generating a new GUID which is used as the archive name. The archive file is then exfiltrated to the C2 using HTTP/S POST requests along with a log of the activity performed being sent to the C2 as well. The log consists of:
存档是一个“.zip”扩展，其名称是通过生成用作存档名称的新 GUID 动态生成的。然后，使用 HTTP/S POST 请求将存档文件泄露到 C2，同时将所执行活动的日志也发送到 C2。日志包括：

• Name of the archive file (or part) POSTed to the C2.
  存档文件（或部分）的名称已 POST 到 C2。
• Number of files in the archive along with the archive size.
  存档中的文件数以及存档大小。

C2 setup and operations C2 设置和操作

All of the C2 servers discovered so far consist of legitimate, vulnerable WordPress-based websites compromised by Turla to set up their C2 servers. Once compromised the operators set up scripts, logging and data directories to operate their C2 servers.
到目前为止发现的所有 C2 服务器都由合法的、易受攻击的基于 WordPress 的网站组成，这些网站被 Turla 入侵以设置其 C2 服务器。一旦遭到入侵，操作员就会设置脚本、日志记录和数据目录来操作他们的 C2 服务器。

Directory and file structure
目录和文件结构

The C2’s directories and files setup consists of three key components:
C2 的目录和文件设置由三个关键组件组成：

• C2 scripts: Turla set up PHP scripts ending with extensions — “.old.php” — in certain directories of the compromised websites. The URLs for these PHP-based C2s were then coded into the TTNG backdoors consisting of two C2 URLs per sample.
  C2 脚本：Turla 在受感染网站的某些目录中设置了以扩展名“.old.php”结尾的 PHP 脚本。然后，这些基于 PHP 的 C2 的 URL 被编码到 TTNG 后门中，每个样本由两个 C2 URL 组成。
• Logging: In addition to the C2 PHP scripts, the adversary also set up the logging of infections to keep track of infected systems and commands being issued to them. The logging mechanism of the C2 generates three log files on the C2 server:
  日志记录：除了 C2 PHP 脚本外，攻击者还设置了感染日志记录，以跟踪受感染的系统和向它们发出的命令。C2 的日志记录机制在 C2 服务器上生成三个日志文件：
  • _log[.]txt: A log of all infected endpoints beaconing into the C2.
    _log[.]txt：所有受感染端点信标到 C2 的日志。
  • result[.]txt: A log of all messages received from the TTNG backdoor.
    结果[.]txt：从 TTNG 后门接收的所有消息的日志。
  • tasks[.]txt: A log of all commands issued to the infected hosts.
    任务[.]txt：向受感染主机发出的所有命令的日志。
• Data directories: TTNG and TurlaPower-NG both support the exfiltration of files to the C2 server. The C2 server stores stolen data in directories separate from the logging directories.
  数据目录：TTNG 和 TurlaPower-NG 都支持将文件泄露到 C2 服务器。C2 服务器将被盗数据存储在与日志记录目录分开的目录中。

C2 communication process C2通讯流程

The TinyTurla-NG backdoor uses a specific Identifier, “id” value in its HTTP form data whenever it communicates with the C2 server. This ID value is an eight-character phrase hardcoded into the backdoor. 
每当TinyTurla-NG后门与C2服务器通信时，它都会在其HTTP表单数据中使用特定的标识符“id”值。此 ID 值是硬编码到后门中的 8 个字符的短语。

This same identifier value is then used to create directories for log files on the C2 server indicating that the C2 server maintains different log files for different identifiers.
然后，使用相同的标识符值为 C2 服务器上的日志文件创建目录，指示 C2 服务器为不同的标识符维护不同的日志文件。

After registering the victim on the C2 server, the backdoor sends out a gettask request, similar to the one below. The C2 can answer this with special commands or just the file that is supposed to be executed on the infected machine. 
在 C2 服务器上注册受害者后，后门会发出一个 gettask 请求，类似于下面的请求。C2 可以使用特殊命令或仅使用应该在受感染计算机上执行的文件来回答这个问题。

Depending on the PowerShell version running on the victim machine, the C2 task commands are piped into a PowerShell or cmd[.]exe shell. 
根据受害计算机上运行的 PowerShell 版本，C2 任务命令通过管道传递到 PowerShell 或 cmd[.]exe shell。

Coverage 覆盖

Ways our customers can detect and block this threat are listed below.
下面列出了我们的客户检测和阻止此威胁的方法。

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
思科安全终端（以前称为面向终端的AMP）非常适合防止本文中详述的恶意软件的执行。 在此处免费试用安全终端。

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
思科安全 Web 设备 Web 扫描可防止访问恶意网站并检测这些攻击中使用的恶意软件。

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
思科安全邮件（以前称为思科邮件安全）可以阻止威胁行为者在其活动中发送的恶意电子邮件。您可以在此处免费试用 Secure Email。

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
思科安全防火墙（以前称为下一代防火墙和 Firepower NGFW）设备（如 Threat Defense Virtual、自适应安全设备和 Meraki MX）可以检测与此威胁相关的恶意活动。

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
思科安全恶意软件分析（威胁网格）可识别恶意二进制文件，并在所有思科安全产品中构建保护功能。

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Umbrella 是思科的安全互联网网关 （SIG），可阻止用户连接到恶意域、IP 和 URL，无论用户是在公司网络上还是在公司网络外。在此处注册 Umbrella 的免费试用版。

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
思科安全 Web 设备（以前称为网络安全设备）会自动阻止具有潜在危险的站点，并在用户访问可疑站点之前对其进行测试。

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
防火墙管理中心提供针对特定环境和威胁数据的上下文的其他保护。

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Cisco Duo 为用户提供多重身份验证，以确保只有经过授权的用户才能访问您的网络。

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
开源 Snort 订阅者规则集客户可以通过下载可在 Snort.org 上购买的最新规则包来了解最新信息。

IOCs 国际奥委会

IOCs for this research can also be found at our GitHub repository here.
这项研究的 IOC 也可以在我们的 GitHub 存储库中找到。

Hashes 散 列

267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b
d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40

Domains 域

hanagram[.]jp 花格[.]太平绅士
thefinetreats[.]com
caduff-sa[.]ch caduff-sa[.]中文
jeepcarlease[.]com 吉普车[.]com
buy-new-car[.]com 买新车[.]com
carleasingguru[.]com 卡莱辛古鲁[.]com

原文始发于Asheer Malhotra, Holger Unterbrink, Vitor Ventura, Arnaud Zobec：TinyTurla Next Generation – Turla APT spies on Polish NGOs