Cisco’s Talos research ream has uncovered a never-before-seen backdoor used by the Russia-linked Turla APT in attacks against targets in the US, Germany and Afghanistan.

Also known as Snake, Venomous Bear, Uroburos and WhiteBear, Turla Advanced Persistent Threat (APT) group has been active since at least 2004 and is mainly focused on cyber-espionage.

Dubbed TinyTurla, the malware is a simple backdoor likely used to maintain access to the target system even if the primary malware is discovered and removed. The backdoor can also act as a second-stage dropper to infect the system with additional malware.

This new malware was spotted in the attack that targeted the previous Afghan government (prior to recent Taliban takeover of Afghanistan following the pullout of Western-backed military forces), Cisco Talos said. The treat actors installed the backdoor as a service on the infected machine masquerading as the legitimate "Windows Time Service".

While the researchers were not able to determine how the adversaries managed to infect the system, they discovered a .bat file used to install the backdoor disguised as a benign Microsoft Windows Time service. The backdoor itself was delivered in the form of a service DLL called w64time.dll, which looked like a valid Microsoft DLL.

The backdoor contacted the command and control (C2) server via an HTTPS encrypted channel every five seconds to check if there were new commands from the operator. Based on the received commands the malware executed various functions such as authentication, process execution, file download or upload, subprocess creation/killing, password change, and more.

“Turla has been around for many years as a state-sponsored actor and will likely not go away soon. Adversaries like Turla often use sophisticated malware, but they also often use what is good enough to fly under the radar. Nevertheless, they are making mistakes like everyone else. Talos has monitored many noisy Turla operations, for example. During their campaigns, they are often using and re-using compromised servers for their operations, which they access via SSH, often protected by TOR. One public reason why we attributed this backdoor to Turla is the fact that they used the same infrastructure as they used for other attacks that have been clearly attributed to their Penguin Turla Infrastructure,” Cisco Talos said.