Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Turla
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Turla
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
ID: G0010
Associated Groups: BELUGASTURGEON, Krypton, Snake, Venomous Bear, Group 88, Secret Blizzard, IRON HUNTER, Waterbug, WhiteBear
Version: 5.1
Created: 31 May 2017
Last Modified: 26 Jun 2024

Associated Group Descriptions
Name Description
BELUGASTURGEON (Citation: Accenture HyperStack October 2020)
Krypton (Citation: CrowdStrike VENOMOUS BEAR)
Snake (Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla PowerShell May 2019)(Citation: Talos TinyTurla September 2021)
Venomous Bear (Citation: CrowdStrike VENOMOUS BEAR)(Citation: Talos TinyTurla September 2021)
Group 88 (Citation: Leonardo Turla Penquin May 2020)
Secret Blizzard (Citation: Microsoft Threat Actor Naming July 2023)
IRON HUNTER (Citation: Secureworks IRON HUNTER Profile)
Waterbug Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.(Citation: Symantec Waterbug)
WhiteBear WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.(Citation: Securelist WhiteBear Aug 2017)(Citation: Talos TinyTurla September 2021)

Techniques Used
Domain ID Name Use
Enterprise T1134 .002 Access Token Manipulation: Create Process with Token

Turla RPC backdoors can impersonate or steal process tokens before executing commands.(Citation: ESET Turla PowerShell May 2019)

Enterprise T1087 .001 Account Discovery: Local Account

Turla has used net user to enumerate local accounts on the system.(Citation: ESET ComRAT May 2020)(Citation: ESET Crutch December 2020)
.002 Account Discovery: Domain Account

Turla has used net user /domain to enumerate domain accounts.(Citation: ESET ComRAT May 2020)

Enterprise T1583 .006 Acquire Infrastructure: Web Services

Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration.(Citation: ESET Crutch December 2020)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Turla has used HTTP and HTTPS for C2 communications.(Citation: ESET Turla Mosquito Jan 2018)(Citation: ESET Turla Mosquito May 2018)
.003 Application Layer Protocol: Mail Protocols

Turla has used multiple backdoors which communicate with a C2 server via email attachments.(Citation: Crowdstrike GTR2020 Mar 2020)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.(Citation: Symantec Waterbug Jun 2019)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

A Turla Javascript backdoor added a local_update_check value under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.(Citation: ESET Turla Mosquito Jan 2018)(Citation: ESET Turla Mosquito May 2018)(Citation: ESET Turla Lunar toolset May 2024)
.004 Boot or Logon Autostart Execution: Winlogon Helper DLL

Turla established persistence by adding a Shell value under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.(Citation: ESET Turla Mosquito Jan 2018)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Turla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from Empire's PSInject.(Citation: ESET Turla Mosquito May 2018)(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019) Turla has also used PowerShell scripts to load and execute malware in memory.
.003 Command and Scripting Interpreter: Windows Command Shell

Turla RPC backdoors have used cmd.exe to execute commands.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019)

.005 Command and Scripting Interpreter: Visual Basic

Turla has used VBS scripts throughout its operations.(Citation: Symantec Waterbug Jun 2019)

.006 Command and Scripting Interpreter: Python

Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads.(Citation: Unit 42 IronNetInjector February 2021 )

.007 Command and Scripting Interpreter: JavaScript

Turla has used various JavaScript-based backdoors.(Citation: ESET Turla Mosquito Jan 2018)

Enterprise T1584 .003 Compromise Infrastructure: Virtual Private Server

Turla has used the VPS infrastructure of compromised Iranian threat actors.(Citation: NSA NCSC Turla OilRig)
.004 Compromise Infrastructure: Server

Turla has used compromised servers as infrastructure.(Citation: Recorded Future Turla Infra 2020)(Citation: Accenture HyperStack October 2020)(Citation: Talos TinyTurla September 2021)

.006 Compromise Infrastructure: Web Services

Turla has frequently used compromised WordPress sites for C2 infrastructure.(Citation: Recorded Future Turla Infra 2020)

Enterprise T1555 .004 Credentials from Password Stores: Windows Credential Manager

Turla has gathered credentials from the Windows Credential Manager tool.(Citation: Symantec Waterbug Jun 2019)

Enterprise T1587 .001 Develop Capabilities: Malware

Turla has developed its own unique malware for use in operations.(Citation: Recorded Future Turla Infra 2020)
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Turla has used WMI event filters and consumers to establish persistence.(Citation: ESET Turla PowerShell May 2019)
.013 Event Triggered Execution: PowerShell Profile

Turla has used PowerShell profiles to maintain persistence on an infected machine.(Citation: ESET Turla PowerShell May 2019)

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Turla has used WebDAV to upload stolen USB files to a cloud drive.(Citation: Symantec Waterbug Jun 2019) Turla has also exfiltrated stolen files to OneDrive and 4shared.(Citation: ESET ComRAT May 2020)
Enterprise T1564 .012 Hide Artifacts: File/Path Exclusions

Turla has placed LunarWeb install files into directories that are excluded from scanning.(Citation: ESET Turla Lunar toolset May 2024)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.(Citation: ESET Turla PowerShell May 2019)
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

Turla has named components of LunarWeb to mimic Zabbix agent logs.(Citation: ESET Turla Lunar toolset May 2024)
Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

Based on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.(Citation: ESET Gazer Aug 2017)
.010 Obfuscated Files or Information: Command Obfuscation

Turla has used encryption (including salted 3DES via PowerSploit's Out-EncryptedScript.ps1), random variable names, and base64 encoding to obfuscate PowerShell commands and payloads.(Citation: ESET Turla PowerShell May 2019)

.011 Obfuscated Files or Information: Fileless Storage

Turla has used the Registry to store encrypted and encoded payloads.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019)

Enterprise T1588 .001 Obtain Capabilities: Malware

Turla has used malware obtained after compromising other threat actors, such as OilRig.(Citation: NSA NCSC Turla OilRig)(Citation: Recorded Future Turla Infra 2020)
.002 Obtain Capabilities: Tool

Turla has obtained and customized publicly-available tools like Mimikatz.(Citation: Symantec Waterbug Jun 2019)

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Turla has used net localgroup and net localgroup Administrators to enumerate group information, including members of the local administrators group.(Citation: ESET ComRAT May 2020)
.002 Permission Groups Discovery: Domain Groups

Turla has used net group "Domain Admins" /domain to identify domain administrators.(Citation: ESET ComRAT May 2020)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Turla has used spearphishing emails to deliver BrainTest as a malicious attachment.(Citation: ESET Carbon Mar 2017)
.002 Phishing: Spearphishing Link

Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.(Citation: ESET Turla Mosquito Jan 2018)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges.(Citation: ESET Turla Mosquito May 2018)(Citation: Github Rapid7 Meterpreter Elevate)
Enterprise T1090 .001 Proxy: Internal Proxy

Turla has compromised internal network systems to act as a proxy to forward traffic to C2.(Citation: Talos TinyTurla September 2021)
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Turla used net use commands to connect to lateral systems within a network.(Citation: Kaspersky Turla)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected.(Citation: ESET ComRAT May 2020)
Enterprise T1553 .006 Subvert Trust Controls: Code Signing Policy Modification

Turla has modified variables in kernel memory to turn off Driver Signature Enforcement after exploiting vulnerabilities that obtained kernel mode privileges.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla Driver Loader)
Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

Turla has used tracert to check internet connectivity.(Citation: ESET ComRAT May 2020)
Enterprise T1204 .001 User Execution: Malicious Link

Turla has used spearphishing via a link to get users to download and run their malware.(Citation: ESET Turla Mosquito Jan 2018)
Enterprise T1078 .003 Valid Accounts: Local Accounts

Turla has abused local accounts that have the same password across the victim’s network.(Citation: ESET Crutch December 2020)
Enterprise T1102 .002 Web Service: Bidirectional Communication

A Turla JavaScript backdoor has used Google Apps Script as its C2 server.(Citation: ESET Turla Mosquito Jan 2018)(Citation: ESET Turla Mosquito May 2018)

Software
ID Name References Techniques
S0039 Net (Citation: Kaspersky Turla) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Domain Account, Local Account, Domain Groups, System Service Discovery, Network Share Discovery, Additional Local or Domain Groups, SMB/Windows Admin Shares, Local Account, Domain Account, System Network Connections Discovery, Local Groups, Network Share Connection Removal, Password Policy Discovery, Remote System Discovery, Service Execution, System Time Discovery
S1075 KOPILUWAK (Citation: Mandiant Suspected Turla Campaign February 2023) System Owner/User Discovery, JavaScript, Local Data Staging, Malicious File, Spearphishing Attachment, Network Share Discovery, System Information Discovery, Data from Local System, System Network Configuration Discovery, System Network Connections Discovery, Process Discovery, Exfiltration Over C2 Channel, Web Protocols
S0160 certutil (Citation: Symantec Waterbug Jun 2019) (Citation: TechNet Certutil) Archive via Utility, Deobfuscate/Decode Files or Information, Install Root Certificate, Ingress Tool Transfer
S0668 TinyTurla (Citation: Talos TinyTurla September 2021) Fileless Storage, Match Legitimate Resource Name or Location, Native API, Data from Local System, Scheduled Transfer, Modify Registry, Masquerade Task or Service, Asymmetric Cryptography, Query Registry, Windows Command Shell, Web Protocols, Ingress Tool Transfer, Service Execution, Fallback Channels
S0537 HyperStack (Citation: Accenture HyperStack October 2020) Symmetric Cryptography, Local Account, Native API, Modify Registry, Default Accounts, Inter-Process Communication
S0057 Tasklist (Citation: Kaspersky Turla) (Citation: Microsoft Tasklist) System Service Discovery, Process Discovery, Security Software Discovery
S0099 Arp (Citation: Kaspersky Turla) (Citation: TechNet Arp) System Network Configuration Discovery, Remote System Discovery
S0363 Empire (Citation: ESET Crutch December 2020) (Citation: ESET Turla August 2018) (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Scheduled Task, Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Keylogging, Path Interception by PATH Environment Variable, Bypass User Account Control, Group Policy Discovery, Local Email Collection, Domain Account, Local Account, Windows Service, SSH, DLL, Automated Collection, Clipboard Data, Network Sniffing, Network Share Discovery, System Information Discovery, Native API, Process Injection, Timestomp, Shortcut Modification, Security Support Provider, Archive Collected Data, Credentials from Web Browsers, Path Interception by Search Order Hijacking, Group Policy Modification, Browser Information Discovery, Private Keys, Local Account, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Create Process with Token, Distributed Component Object Model, Video Capture, System Network Configuration Discovery, Accessibility Features, Command and Scripting Interpreter, Domain Account, Domain Trust Discovery, Golden Ticket, Automated Exfiltration, File and Directory Discovery, System Network Connections Discovery, Credentials In Files, Exfiltration to Code Repository, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Exploitation for Privilege Escalation, SID-History Injection, Bidirectional Communication, Asymmetric Cryptography, Exfiltration to Cloud Storage, Path Interception by Unquoted Path, MSBuild, Security Software Discovery, Windows Command Shell, Silver Ticket, Command Obfuscation, Access Token Manipulation, Web Protocols, Network Service Discovery, Pass the Hash, Ingress Tool Transfer, Service Execution, Kerberoasting, Credential API Hooking, Commonly Used Port, Dylib Hijacking
S0104 netstat (Citation: Kaspersky Turla) (Citation: TechNet Netstat) System Network Connections Discovery
S0265 Kazuar (Citation: Talos TinyTurla September 2021) (Citation: Unit 42 Kazuar May 2017) Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Standard Encoding, Local Data Staging, Local Account, Windows Service, System Information Discovery, Data from Local System, Shortcut Modification, Application Window Discovery, Scheduled Transfer, Video Capture, System Network Configuration Discovery, File and Directory Discovery, Process Discovery, File Transfer Protocols, Registry Run Keys / Startup Folder, Local Groups, Unix Shell, Obfuscated Files or Information, Bidirectional Communication, Windows Command Shell, Data Destruction, File Deletion, Web Protocols, Ingress Tool Transfer, Fallback Channels, Dynamic-link Library Injection, Internal Proxy
S1143 LunarLoader (Citation: ESET Turla Lunar toolset May 2024) Add-ins, Deobfuscate/Decode Files or Information, Reflective Code Loading, System Network Configuration Discovery, Execution Guardrails
S0091 Epic (Citation: Kaspersky Turla) (Citation: Secureworks IRON HUNTER Profile) (Citation: TadjMakhal) (Citation: Tavdig) (Citation: Wipbot) (Citation: WorldCupSec) Extra Window Memory Injection, System Owner/User Discovery, Symmetric Cryptography, Local Account, System Service Discovery, Code Signing, System Information Discovery, Archive via Library, Archive Collected Data, System Network Configuration Discovery, File and Directory Discovery, System Network Connections Discovery, Process Discovery, Local Groups, Obfuscated Files or Information, Query Registry, Security Software Discovery, File Deletion, Web Protocols, Remote System Discovery, System Time Discovery
S0395 LightNeuron (Citation: ESET LightNeuron May 2019) (Citation: Secureworks IRON HUNTER Profile) Encrypted/Encoded File, Local Data Staging, Match Legitimate Resource Name or Location, Symmetric Cryptography, Automated Collection, Transport Agent, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Scheduled Transfer, Archive Collected Data, Mail Protocols, System Network Configuration Discovery, Automated Exfiltration, Exfiltration Over C2 Channel, Remote Email Collection, Transmitted Data Manipulation, Windows Command Shell, File Deletion, Ingress Tool Transfer, Steganography
S0168 Gazer (Citation: ESET Crutch December 2020) (Citation: ESET Gazer Aug 2017) (Citation: Securelist WhiteBear Aug 2017) (Citation: WhiteBear) Scheduled Task, System Owner/User Discovery, Encrypted/Encoded File, Symmetric Cryptography, Code Signing, Thread Execution Hijacking, Process Injection, Timestomp, Mutual Exclusion, Shortcut Modification, Winlogon Helper DLL, Registry Run Keys / Startup Folder, Asymmetric Cryptography, Screensaver, File Deletion, Web Protocols, Ingress Tool Transfer, NTFS File Attributes
S0096 Systeminfo (Citation: ESET Turla Lunar toolset May 2024) (Citation: Kaspersky Turla) (Citation: TechNet Systeminfo) System Information Discovery
S0022 Uroburos (Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023) (Citation: Kaspersky Turla) (Citation: Snake) Fileless Storage, Embedded Payloads, Encrypted/Encoded File, Rootkit, DNS, Symmetric Cryptography, Windows Service, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Traffic Signaling, Reflective Code Loading, Protocol Tunneling, Mail Protocols, Modify Registry, File and Directory Discovery, Masquerade Task or Service, Multi-Stage Channels, Process Discovery, Multi-hop Proxy, Inter-Process Communication, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Windows Command Shell, Non-Standard Encoding, File Deletion, Software Packing, Web Protocols, Hidden File System, Ingress Tool Transfer, Fallback Channels, Dynamic-link Library Injection, Junk Data
S0538 Crutch (Citation: ESET Crutch December 2020) (Citation: Talos TinyTurla September 2021) Scheduled Task, Archive via Utility, Data from Removable Media, Local Data Staging, DLL, Automated Collection, Peripheral Device Discovery, Data from Local System, Automated Exfiltration, Masquerade Task or Service, Exfiltration Over C2 Channel, Bidirectional Communication, Exfiltration to Cloud Storage, Web Protocols, Fallback Channels
S0256 Mosquito (Citation: ESET Turla Mosquito Jan 2018) (Citation: ESET Turla Mosquito May 2018) (Citation: Secureworks IRON HUNTER Profile) Windows Management Instrumentation, Fileless Storage, System Owner/User Discovery, Rundll32, Encrypted/Encoded File, Symmetric Cryptography, Native API, Modify Registry, System Network Configuration Discovery, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Component Object Model Hijacking, Security Software Discovery, Windows Command Shell, File Deletion, Ingress Tool Transfer
S1142 LunarMail (Citation: ESET Turla Lunar toolset May 2024) Screen Capture, Encrypted/Encoded File, Create or Modify System Process, Local Data Staging, Local Email Collection, Malicious File, Add-ins, System Information Discovery, Deobfuscate/Decode Files or Information, Clear Mailbox Data, Mail Protocols, File and Directory Discovery, Exfiltration Over C2 Channel, Non-Application Layer Protocol, File Deletion, Visual Basic, Steganography
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: ESET Turla Mosquito May 2018) (Citation: Symantec Waterbug Jun 2019) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0581 IronNetInjector (Citation: Unit 42 IronNetInjector February 2021 ) Scheduled Task, Encrypted/Encoded File, Deobfuscate/Decode Files or Information, Process Injection, Masquerade Task or Service, Process Discovery, Python, Dynamic-link Library Injection
S0102 nbtstat (Citation: Kaspersky Turla) (Citation: TechNet Nbtstat) System Network Configuration Discovery, System Network Connections Discovery
S0590 NBTscan (Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Waterbug Jun 2019) System Owner/User Discovery, Network Sniffing, System Network Configuration Discovery, Remote System Discovery, Network Service Discovery
S0335 Carbon (Citation: ESET Carbon Mar 2017) (Citation: Securelist Turla Oct 2018) (Citation: Secureworks IRON HUNTER Profile) Scheduled Task, Permission Groups Discovery, Local Data Staging, Windows Service, Deobfuscate/Decode Files or Information, System Network Configuration Discovery, System Network Connections Discovery, Web Service, Process Discovery, Obfuscated Files or Information, Asymmetric Cryptography, Non-Application Layer Protocol, Query Registry, Web Protocols, Remote System Discovery, System Time Discovery, Dynamic-link Library Injection, Commonly Used Port, Exfiltration Over Unencrypted Non-C2 Protocol
S0075 Reg (Citation: Kaspersky Turla) (Citation: Microsoft Reg) (Citation: Windows Commands JPCERT) Credentials in Registry, Modify Registry, Query Registry
S0587 Penquin (Citation: Kaspersky Turla Penquin December 2014) (Citation: Leonardo Turla Penquin May 2020) (Citation: Penquin 2.0) (Citation: Penquin_x64) Socket Filters, Linux and Mac File and Directory Permissions Modification, Encrypted/Encoded File, Match Legitimate Resource Name or Location, Cron, Network Sniffing, System Information Discovery, Traffic Signaling, System Network Configuration Discovery, File and Directory Discovery, Exfiltration Over C2 Channel, Unix Shell, Indicator Removal from Tools, Asymmetric Cryptography, Non-Application Layer Protocol, File Deletion, Ingress Tool Transfer
S0126 ComRAT (Citation: ESET ComRAT May 2020) (Citation: NorthSec 2015 GData Uroburos Tools) (Citation: Secureworks IRON HUNTER Profile) (Citation: Symantec Waterbug) (Citation: Unit 42 IronNetInjector February 2021 ) Scheduled Task, Fileless Storage, Embedded Payloads, Native API, Deobfuscate/Decode Files or Information, Scheduled Transfer, Mail Protocols, Modify Registry, Masquerade Task or Service, PowerShell, Obfuscated Files or Information, Component Object Model Hijacking, Bidirectional Communication, Asymmetric Cryptography, Query Registry, Windows Command Shell, Command Obfuscation, Web Protocols, Hidden File System, Software Discovery, System Time Discovery, Dynamic-link Library Injection
S0393 PowerStallion (Citation: ESET Turla PowerShell May 2019) Timestomp, Process Discovery, PowerShell, Obfuscated Files or Information, Bidirectional Communication
S1141 LunarWeb (Citation: ESET Turla Lunar toolset May 2024) Archive via Utility, Windows Management Instrumentation, System Owner/User Discovery, Standard Encoding, Encrypted/Encoded File, Group Policy Discovery, Symmetric Cryptography, Network Share Discovery, System Information Discovery, Deobfuscate/Decode Files or Information, Archive via Library, Time Based Evasion, Protocol Tunneling, System Network Configuration Discovery, Proxy, File and Directory Discovery, System Network Connections Discovery, Multi-Stage Channels, Process Discovery, PowerShell, Local Groups, Inter-Process Communication, Asymmetric Cryptography, Data Transfer Size Limits, Security Software Discovery, Windows Command Shell, File Deletion, Web Protocols, Software Discovery, Steganography
S0029 PsExec (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: Symantec Waterbug Jun 2019) Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

  1. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  2. Meyers, A. (2018, March 12). Meet CrowdStrike’s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018.
  3. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  4. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  5. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  6. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
  7. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  8. Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.
  9. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  10. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  11. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  12. TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021.
  13. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  14. Rapid7. (2013, November 26). meterpreter/source/extensions/priv/server/elevate/. Retrieved July 8, 2018.
  15. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  16. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  17. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  18. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  19. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  20. Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022.
  21. Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
  22. NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020.
  23. Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved September 16, 2024.
  24. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  25. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  26. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.