Ttng

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
TinyTurla-NG (TTNG) is a potent malware identified by Cisco Talos in partnership with CERT.NGO. TTNG is part of the arsenal used by the Turla APT, a notorious group of Russian state-sponsored actors known for their cyber espionage activities. This malicious software is designed to infiltrate systems, often undetected, and execute harmful actions such as stealing personal information or disrupting operations. The TTNG backdoor is akin to Turla's implant TinyTurla, showing similarities in their operational patterns. The command and control (C2) scripts associated with TTNG play a crucial role in the malware's operation. These scripts are deployed on compromised WordPress servers and are intended to deliver executables and administrative commands to infected systems. If an "id" is provided in the HTTP request to the C2 server, this is treated as communication with an implant like TTNG or TurlaPower-NG. The "id" parameter is the same variable passed by the TTNG and TurlaPower-NG implants during communication with the C2, which then creates a logging directory on the C2 server. Post-compromise, TTNG operators issue three sets of modular PowerShell commands: reconnaissance commands used to enumerate files in a directory specified by the operator. The malware uses a privilege elevation tool to run these PowerShell scripts. Besides TurlaPower-NG, another implant was found on infected systems, suggesting the use of Chisel as another means of persistent access. The output of a command executed on an infected endpoint by the TTNG backdoor is obtained and recorded into a file on disk by the C2, illustrating the depth of control the malware has over compromised systems.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
TinyTurla
2
TinyTurla is a sophisticated malware linked to the Russia-sponsored threat actor, Turla APT. This malicious software has been utilized in a targeted campaign against Polish Non-Governmental Organizations (NGOs), particularly those with connections to supporting Ukraine. TinyTurla operates as a backd
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Implant
Cisco
Wordpress
Backdoor
Reconnaissance
State Sponso...
Talos
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TurlaUnspecified
2
Turla, also known as Pensive Ursa, is a sophisticated threat actor linked to Russia that has been active for many years. The group is known for its advanced cyber-espionage capabilities and has been associated with numerous high-profile breaches. According to the MITRE ATT&CK and MITRE Ingenuity dat
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Ttng Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
TinyTurla-NG in-depth tooling and command and control analysis
Securityaffairs
5 months ago
Turla APT uses new TinyTurla-NG backdoor to spy on Polish NGOs
CERT-EU
5 months ago
Why Apple added protection against quantum computing when quantum computing doesn’t even exist yet