Russia’s Turla APT Abuses MSBuild to Deliver TinyTurla Backdoor – Source: www.darkreading.com

Source: Age Foto Stock via Alamy Stock Photo

A Russia-linked advanced persistent threat (APT) group has been abusing PDF and MSBuild project files in a campaign that uses socially engineered emails to deliver the TinyTurla backdoor as a fileless payload. The campaign’s seamless delivery routine is a notable evolution in sophistication, researchers said.

Researchers from Cyble Researchers and Intelligence Labs (CRIL) identified the campaign, which uses emails with documents pitching invitations to human rights seminars or providing public advisories as a lure to infect users with TinyTurla. In a blog post published yesterday on the campaign, they said the attackers also impersonate legitimate authorities in an effort to lure victims in.

“When targeted individuals mistakenly believe this to be a legitimate invitation or advisory and open it, they could inadvertently install a tiny backdoor into their system,” according to the post. Attackers then can use the backdoor to execute commands from a command-and-control (C2) server that they control and infiltrate the victim’s system.

The campaign — which targets individuals and entities in the Philippines — demonstrates attacker sophistication by embedding lure PDFs and MSBuild project files within .LNK files “for seamless execution,” according to CRIL. The attacker also “executes the project files using the Microsoft Build Engine (MSBuild) to deliver a stealthy, fileless final payload,” according to the post.

The Likely Culprit: Turla APT

The TinyTurla backdoor is linked to a long-running Russia-sponsored threat actor, Turla, that typically targets NGOs, “particularly those with connections to supporting Ukraine,” the researchers noted. They believe the group is behind the malicious activity, according to the post.

Code observed by the researchers, the content of the emails, and other tactics also point to the APT. “The utilization of basic first-stage backdoor functionalities, coupled with the exploitation of compromised Web servers for their C2 infrastructure, aligns with the behavior exhibited by the Turla,” according to the post.

Turla also is known to deploy PHP-based C2s within specific directories of compromised websites, which is a behavior also observed in the campaign.

From Spam Email to Backdoor Malware

As mentioned, the campaign begins with spam emails that include a document either inviting someone to a human rights seminar or impersonating the Philippine Statistics Authority with a public advisory. The latter was discovered and shared on the social-media platform X by security researcher Simon Kenin, according to CRIL.

When a victim clicks on a document — which is actually a malicious .LNK file — it triggers the execution of a PowerShell script embedded within that kicks off a series of operations. These include reading the content of the .LNK file and writing it into three distinct files — a lure PDF, encrypted data, and a custom MSBuild project — in the %temp% location. The MSBuild project executes to open the lure document.

“This MSBuild project contains code to decrypt the encrypted data, which is then saved in a %temp% location with the .log extension,” according to the post. “Subsequently, this .log file, also an MSBuild project, is scheduled to be executed using ‘MSBuild.exe’ through Task Scheduler to carry out backdoor activities.”

TinyTurla manages its operations by using multiple threads, each of which are designed to execute specific tasks. The “shell” enables the backdoor to execute commands on the victim’s machine by creating a new process to run the specified command within that process. The “sleep” operation allows attackers to dynamically adjust the sleep interval of the backdoor.

Other operations the backdoor executes are an “upload” operation that allows it to download a file from the C2 server and save it locally on the victim’s machine, and a “download” operation that can exfiltrate files from the victim’s machine to the C2 server.

“By coordinating these diverse operations, the backdoor functions as a versatile tool for [the threat actors],” according to the post. “It allows them to carry out subsequent malicious activities while avoiding detection and enhancing their control over compromised systems.”

Avoiding Compromise by Turla, Other APTs

Though the campaign’s impersonation of legitimate files and seamless deployment routine makes it difficult to detect, there are several ways defenders can avoid compromise, the researchers suggested.

As the entry point of the campaign comes in the form of spam emails, deploying strong email-filtering systems can identify and prevent the dissemination of harmful attachments. Further, organizations should advise employees to exercise extreme caution when handling email attachments or links, particularly those from unknown senders.

Regarding the campaign’s abuse of MSBuild, organizations can limit the use of this tool to authorized personnel or specific systems, which will “reduce the risk of unauthorized usage by threat actors,” according to CRIL. Indeed, a Russia-based APT also abused this tool in the infamous Zerologon campaign several years ago.

Defenders also should consider disabling or limiting the execution of scripting languages, such as PowerShell, on user workstations and servers if they are not essential for legitimate purposes, researchers noted.