Skip to content

S0668 TinyTurla

TinyTurla is a backdoor that has been used by Turla against targets in the US, Germany, and Afghanistan since at least 2020.1

Item Value
ID S0668
Associated Names
Version 1.1
Created 02 December 2021
Last Modified 26 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols TinyTurla can use HTTPS in C2 communications.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell TinyTurla has been installed using a .bat file.1
enterprise T1005 Data from Local System TinyTurla can upload files from a compromised host.1
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography TinyTurla has the ability to encrypt C2 traffic with SSL/TLS.1
enterprise T1008 Fallback Channels TinyTurla can go through a list of C2 server IPs and will try to register with each until one responds.1
enterprise T1105 Ingress Tool Transfer TinyTurla has the ability to act as a second-stage dropper used to infect the system with additional malware.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service TinyTurla has mimicked an existing Windows service by being installed as Windows Time Service.1
enterprise T1036.005 Match Legitimate Name or Location TinyTurla has been deployed as w64time.dll to appear legitimate.1
enterprise T1112 Modify Registry TinyTurla can set its configuration parameters in the Registry.1
enterprise T1106 Native API TinyTurla has used WinHTTP, CreateProcess, and other APIs for C2 communications and other functions.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.011 Fileless Storage TinyTurla can save its configuration parameters in the Registry.1
enterprise T1012 Query Registry TinyTurla can query the Registry for its configuration information.1
enterprise T1029 Scheduled Transfer TinyTurla contacts its C2 based on a scheduled timing set in its configuration.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution TinyTurla can install itself as a service on compromised machines.1

Groups That Use This Software

ID Name References
G0010 Turla 1