Security News > 2021 > September > Turla APT Plants Novel Backdoor In Wake of Afghan Unrest

The Turla advanced persistent threat group is back with a new backdoor used to infect systems in Afghanistan, Germany and the U.S., researchers have reported.

On Tuesday, Cisco Talos researchers said that they've spotted infections they attributed to the Turla group - a Russian-speaking APT. Those attacks are "Likely" using a stealthy, "Second-chance" backdoor to maintain access to infected devices, they noted.

"During their campaigns, they are often using and re-using compromised servers for their operations, which they access via SSH, often protected by Tor. One public reason why we attributed this backdoor to Turla is the fact that they used the same infrastructure as they used for other attacks that have been clearly attributed to their Penguin Turla infrastructure."

That infrastructure is old: In the Penguin Turla attacks of 2011, disclosed by Kaspersky Lab in 2014, Linux machines were targeted with a backdoor based on the open-source LOKI2 backdoor that was released in Phrack magazine in September 1997.). Who Is Turla?

In January, the firm suggested that Turla malware may have been used in the SolarWinds blitzkrieg, given that Kaspersky researchers found code similarities between the Sunburst backdoor used in that sprawling series of supply-chain attacks and the Kazuar backdoor attributed to Turla.

Besides being potentially tied to the Sunburst backdoor used in SolarWinds, Turla has also been linked to well-known malware like Crutch - which leveraged Dropbox in espionage attacks against European Union countries last December - and, again, with the Kazuar backdoor, described in 2017 by Palo Alto Networks as a multiplatform espionage backdoor with API access.

News URL

https://threatpost.com/turla-apt-backdoor-afghanistan/174858/