The European non-governmental organization was the target of a cyberattack by the UnC4210 group, who utilized the malicious Tinyturla-Hn to install a backdoor. A report on this cyberattack was published by Cisco Talos, providing insights into the attack strategies employed.
During the breach, hackers managed to compromise the systems of the unnamed NGO, gaining persistent access and making exceptions for antivirus programs to avoid detection. UNC4210 also utilized additional communication channels through the Chisel program to steal data and move laterally across other systems within the network.
The initial penetration into the systems took place in October 2023, followed by the deployment of Chisel in December 2023, and data exploration in January.
Throughout the attack, UnC4210 leveraged its initial access to configure exceptions to Microsoft Defender antivirus, avoiding detection, and installing TinyTurla-NG. This installation was sustained by creating a malicious SDM service disguised as the “Device dispatcher.”
The malicious software acted as a backdoor, granting cybercriminals the ability to conduct reconnaissance, explore files on the C2 server, and deploy a modified version of the CHISEL tunneling program. The exact path of penetration is currently under investigation.
Upon gaining access to a new system, the attackers replicated their tactics, creating exceptions to Microsoft Defender, installing malware, and ensuring its continuous operation within the system.
By the end of 2023, Tinyturla-H had been detected in the networks of Polish NGOs. Cisco Talos experts revealed that the virus spread through compromised WordPress sites, serving as a Command and Control (C2) server. Tinyturla-H could execute commands from the C2 server, transfer files, and deploy scripts to extract passwords from password management databases.