TinyTurlaNG (Malware Family)

TinyTurlaNG

aka: TTNG

Actor(s): Turla

VTCollection

Cisco Talos states that TinyTurla-NG is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems. TinyTurla-NG was seen as early as December 2023 targeting a Polish non-governmental organization (NGO) working on improving Polish democracy and supporting Ukraine during the Russian invasion.

References

2024-04-18 ⋅ EchoCTI ⋅ Bilal BAKARTEPE, bixploit
Turla APT Analysis with TinyTurla-NG
TinyTurlaNG

2024-02-15 ⋅ Cisco Talos ⋅ Arnaud Zobec, Asheer Malhotra, Holger Unterbrink, Vitor Ventura
TinyTurla Next Generation - Turla APT spies on Polish NGOs
TinyTurlaNG

Yara Rules

[TLP:WHITE] win_tinyturla_ng_auto (20260504 | Detects win.tinyturla_ng.)

rule win_tinyturla_ng_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.tinyturla_ng."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyturla_ng"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b816000000 49beffffffffffffff7f 4883fe0f 771d 488975df 4c8bc6 }
            // n = 6, score = 200
            //   b816000000           | cmp                 eax, 6
            //   49beffffffffffffff7f     | jne    0x7f8
            //   4883fe0f             | cmp                 dword ptr [esp + 0x68], 2
            //   771d                 | mov                 eax, dword ptr [ecx + edi + 0x10]
            //   488975df             | and                 eax, 0x13
            //   4c8bc6               | or                  eax, 4

        $sequence_1 = { 498bce e8???????? 488b542440 4883fa10 722e }
            // n = 5, score = 200
            //   498bce               | xorps               xmm0, xmm0
            //   e8????????           |                     
            //   488b542440           | dec                 eax
            //   4883fa10             | mov                 dword ptr [esp + 0x20], eax
            //   722e                 | dec                 eax

        $sequence_2 = { 4d8d4701 488bd7 488bc8 e8???????? 48895c2440 4c897c2438 }
            // n = 6, score = 200
            //   4d8d4701             | dec                 esp
            //   488bd7               | lea                 edx, [0xfffedebc]
            //   488bc8               | dec                 eax
            //   e8????????           |                     
            //   48895c2440           | mov                 eax, dword ptr [ebx + 0x18]
            //   4c897c2438           | mov                 ecx, edi

        $sequence_3 = { 721c 4c8b41f8 4883c227 492bc8 488d41f8 4883f81f 0f8717010000 }
            // n = 7, score = 200
            //   721c                 | mov                 edx, dword ptr [esp]
            //   4c8b41f8             | dec                 eax
            //   4883c227             | cmp                 edi, 4
            //   492bc8               | jne                 0x3b2
            //   488d41f8             | xor                 ecx, ecx
            //   4883f81f             | dec                 esp
            //   0f8717010000         | lea                 eax, [0x2ad12]

        $sequence_4 = { 488bfa 488bf1 4032ed 4533e4 }
            // n = 4, score = 200
            //   488bfa               | dec                 eax
            //   488bf1               | test                eax, eax
            //   4032ed               | je                  0x3cb
            //   4533e4               | dec                 eax

        $sequence_5 = { ff15???????? 488d5570 488d4d30 e8???????? 498d8df8000000 488bd0 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   488d5570             | je                  0x115
            //   488d4d30             | dec                 eax
            //   e8????????           |                     
            //   498d8df8000000       | lea                 edx, [0x3631e]
            //   488bd0               | dec                 eax

        $sequence_6 = { 85c0 0f95c1 85c0 0f843e010000 488d96b0000000 48837a1810 7203 }
            // n = 7, score = 200
            //   85c0                 | lea                 ecx, [ebp + 8]
            //   0f95c1               | inc                 ebp
            //   85c0                 | xor                 esi, esi
            //   0f843e010000         | dec                 esp
            //   488d96b0000000       | mov                 dword ptr [ebp + 0x30], esi
            //   48837a1810           | test                al, al
            //   7203                 | je                  0x880

        $sequence_7 = { 7203 488b1b 4883fe10 730d 0f1003 0f1145cf }
            // n = 6, score = 200
            //   7203                 | jp                  0xffffffef
            //   488b1b               | nop                 word ptr [eax + eax]
            //   4883fe10             | mov                 ecx, 0xd8
            //   730d                 | dec                 eax
            //   0f1003               | mov                 dword ptr [esp + 0x38], eax
            //   0f1145cf             | dec                 eax

        $sequence_8 = { 85c0 0f84e3000000 498bc6 4883fb10 7203 498b06 4883fe03 }
            // n = 7, score = 200
            //   85c0                 | dec                 eax
            //   0f84e3000000         | lea                 edx, [0x37312]
            //   498bc6               | cmp                 ecx, 4
            //   4883fb10             | jne                 0x1bb
            //   7203                 | xor                 ecx, ecx
            //   498b06               | dec                 eax
            //   4883fe03             | lea                 edx, [0x37342]

        $sequence_9 = { 0f841f030000 492bfe 4883ffff 0f8417030000 0f1f4000 66660f1f840000000000 4c897dd8 }
            // n = 7, score = 200
            //   0f841f030000         | sub                 eax, ecx
            //   492bfe               | dec                 ecx
            //   4883ffff             | mov                 esp, 0xffffffff
            //   0f8417030000         | dec                 ecx
            //   0f1f4000             | mov                 esi, esp
            //   66660f1f840000000000     | dec    ecx
            //   4c897dd8             | cmp                 eax, esp

    condition:
        7 of them and filesize < 635904
}

Download all Yara Rules

TinyTurlaNG Propose Change

References

Yara Rules

TinyTurlaNG