S0668 TinyTurla
TinyTurla is a backdoor that has been used by Turla against targets in the US, Germany, and Afghanistan since at least 2020.1
| Item | Value |
|---|---|
| ID | S0668 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 02 December 2021 |
| Last Modified | 26 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | TinyTurla can use HTTPS in C2 communications.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | TinyTurla has been installed using a .bat file.1 |
| enterprise | T1005 | Data from Local System | TinyTurla can upload files from a compromised host.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | TinyTurla has the ability to encrypt C2 traffic with SSL/TLS.1 |
| enterprise | T1008 | Fallback Channels | TinyTurla can go through a list of C2 server IPs and will try to register with each until one responds.1 |
| enterprise | T1105 | Ingress Tool Transfer | TinyTurla has the ability to act as a second-stage dropper used to infect the system with additional malware.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | TinyTurla has mimicked an existing Windows service by being installed as Windows Time Service.1 |
| enterprise | T1036.005 | Match Legitimate Name or Location | TinyTurla has been deployed as w64time.dll to appear legitimate.1 |
| enterprise | T1112 | Modify Registry | TinyTurla can set its configuration parameters in the Registry.1 |
| enterprise | T1106 | Native API | TinyTurla has used WinHTTP, CreateProcess, and other APIs for C2 communications and other functions.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.011 | Fileless Storage | TinyTurla can save its configuration parameters in the Registry.1 |
| enterprise | T1012 | Query Registry | TinyTurla can query the Registry for its configuration information.1 |
| enterprise | T1029 | Scheduled Transfer | TinyTurla contacts its C2 based on a scheduled timing set in its configuration.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | TinyTurla can install itself as a service on compromised machines.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0010 | Turla | 1 |