Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Turla
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Turla
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
ID: G0010
Associated Groups: BELUGASTURGEON, Krypton, Snake, Venomous Bear, Group 88, Secret Blizzard, IRON HUNTER, Waterbug, WhiteBear
Version: 5.1
Created: 31 May 2017
Last Modified: 26 Jun 2024

Associated Group Descriptions
Name Description
BELUGASTURGEON (Citation: Accenture HyperStack October 2020)
Krypton (Citation: CrowdStrike VENOMOUS BEAR)
Snake (Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla PowerShell May 2019)(Citation: Talos TinyTurla September 2021)
Venomous Bear (Citation: CrowdStrike VENOMOUS BEAR)(Citation: Talos TinyTurla September 2021)
Group 88 (Citation: Leonardo Turla Penquin May 2020)
Secret Blizzard (Citation: Microsoft Threat Actor Naming July 2023)
IRON HUNTER (Citation: Secureworks IRON HUNTER Profile)
Waterbug Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.(Citation: Symantec Waterbug)
WhiteBear WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.(Citation: Securelist WhiteBear Aug 2017)(Citation: Talos TinyTurla September 2021)

Techniques Used
Domain ID Name Use
Enterprise T1134 .002 Access Token Manipulation: Create Process with Token

Turla RPC backdoors can impersonate or steal process tokens before executing commands.(Citation: ESET Turla PowerShell May 2019)

Enterprise T1087 .001 Account Discovery: Local Account

Turla has used net user to enumerate local accounts on the system.(Citation: ESET ComRAT May 2020)(Citation: ESET Crutch December 2020)
.002 Account Discovery: Domain Account

Turla has used net user /domain to enumerate domain accounts.(Citation: ESET ComRAT May 2020)

Enterprise T1583 .006 Acquire Infrastructure: Web Services

Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration.(Citation: ESET Crutch December 2020)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Turla has used HTTP and HTTPS for C2 communications.(Citation: ESET Turla Mosquito Jan 2018)(Citation: ESET Turla Mosquito May 2018)
.003 Application Layer Protocol: Mail Protocols

Turla has used multiple backdoors which communicate with a C2 server via email attachments.(Citation: Crowdstrike GTR2020 Mar 2020)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.(Citation: Symantec Waterbug Jun 2019)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

A Turla Javascript backdoor added a local_update_check value under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.(Citation: ESET Turla Mosquito Jan 2018)(Citation: ESET Turla Mosquito May 2018)(Citation: ESET Turla Lunar toolset May 2024)
.004 Boot or Logon Autostart Execution: Winlogon Helper DLL

Turla established persistence by adding a Shell value under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.(Citation: ESET Turla Mosquito Jan 2018)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Turla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from Empire's PSInject.(Citation: ESET Turla Mosquito May 2018)(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019) Turla has also used PowerShell scripts to load and execute malware in memory.
.003 Command and Scripting Interpreter: Windows Command Shell

Turla RPC backdoors have used cmd.exe to execute commands.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019)

.005 Command and Scripting Interpreter: Visual Basic

Turla has used VBS scripts throughout its operations.(Citation: Symantec Waterbug Jun 2019)

.006 Command and Scripting Interpreter: Python

Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads.(Citation: Unit 42 IronNetInjector February 2021 )

.007 Command and Scripting Interpreter: JavaScript

Turla has used various JavaScript-based backdoors.(Citation: ESET Turla Mosquito Jan 2018)

Enterprise T1584 .003 Compromise Infrastructure: Virtual Private Server

Turla has used the VPS infrastructure of compromised Iranian threat actors.(Citation: NSA NCSC Turla OilRig)
.004 Compromise Infrastructure: Server

Turla has used compromised servers as infrastructure.(Citation: Recorded Future Turla Infra 2020)(Citation: Accenture HyperStack October 2020)(Citation: Talos TinyTurla September 2021)

.006 Compromise Infrastructure: Web Services

Turla has frequently used compromised WordPress sites for C2 infrastructure.(Citation: Recorded Future Turla Infra 2020)

Enterprise T1555 .004 Credentials from Password Stores: Windows Credential Manager

Turla has gathered credentials from the Windows Credential Manager tool.(Citation: Symantec Waterbug Jun 2019)

Enterprise T1587 .001 Develop Capabilities: Malware

Turla has developed its own unique malware for use in operations.(Citation: Recorded Future Turla Infra 2020)
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Turla has used WMI event filters and consumers to establish persistence.(Citation: ESET Turla PowerShell May 2019)
.013 Event Triggered Execution: PowerShell Profile

Turla has used PowerShell profiles to maintain persistence on an infected machine.(Citation: ESET Turla PowerShell May 2019)

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Turla has used WebDAV to upload stolen USB files to a cloud drive.(Citation: Symantec Waterbug Jun 2019) Turla has also exfiltrated stolen files to OneDrive and 4shared.(Citation: ESET ComRAT May 2020)
Enterprise T1564 .012 Hide Artifacts: File/Path Exclusions

Turla has placed LunarWeb install files into directories that are excluded from scanning.(Citation: ESET Turla Lunar toolset May 2024)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.(Citation: ESET Turla PowerShell May 2019)
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Turla has named components of LunarWeb to mimic Zabbix agent logs.(Citation: ESET Turla Lunar toolset May 2024)
Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

Based on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.(Citation: ESET Gazer Aug 2017)
.010 Obfuscated Files or Information: Command Obfuscation

Turla has used encryption (including salted 3DES via PowerSploit's Out-EncryptedScript.ps1), random variable names, and base64 encoding to obfuscate PowerShell commands and payloads.(Citation: ESET Turla PowerShell May 2019)

.011 Obfuscated Files or Information: Fileless Storage

Turla has used the Registry to store encrypted and encoded payloads.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019)

Enterprise T1588 .001 Obtain Capabilities: Malware

Turla has used malware obtained after compromising other threat actors, such as OilRig.(Citation: NSA NCSC Turla OilRig)(Citation: Recorded Future Turla Infra 2020)
.002 Obtain Capabilities: Tool

Turla has obtained and customized publicly-available tools like Mimikatz.(Citation: Symantec Waterbug Jun 2019)

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Turla has used net localgroup and net localgroup Administrators to enumerate group information, including members of the local administrators group.(Citation: ESET ComRAT May 2020)
.002 Permission Groups Discovery: Domain Groups

Turla has used net group "Domain Admins" /domain to identify domain administrators.(Citation: ESET ComRAT May 2020)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Turla has used spearphishing emails to deliver BrainTest as a malicious attachment.(Citation: ESET Carbon Mar 2017)
.002 Phishing: Spearphishing Link

Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.(Citation: ESET Turla Mosquito Jan 2018)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges.(Citation: ESET Turla Mosquito May 2018)(Citation: Github Rapid7 Meterpreter Elevate)
Enterprise T1090 .001 Proxy: Internal Proxy

Turla has compromised internal network systems to act as a proxy to forward traffic to C2.(Citation: Talos TinyTurla September 2021)
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Turla used net use commands to connect to lateral systems within a network.(Citation: Kaspersky Turla)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected.(Citation: ESET ComRAT May 2020)
Enterprise T1553 .006 Subvert Trust Controls: Code Signing Policy Modification

Turla has modified variables in kernel memory to turn off Driver Signature Enforcement after exploiting vulnerabilities that obtained kernel mode privileges.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla Driver Loader)
Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

Turla has used tracert to check internet connectivity.(Citation: ESET ComRAT May 2020)
Enterprise T1204 .001 User Execution: Malicious Link

Turla has used spearphishing via a link to get users to download and run their malware.(Citation: ESET Turla Mosquito Jan 2018)
Enterprise T1078 .003 Valid Accounts: Local Accounts

Turla has abused local accounts that have the same password across the victim’s network.(Citation: ESET Crutch December 2020)
Enterprise T1102 .002 Web Service: Bidirectional Communication

A Turla JavaScript backdoor has used Google Apps Script as its C2 server.(Citation: ESET Turla Mosquito Jan 2018)(Citation: ESET Turla Mosquito May 2018)

Software
ID Name References Techniques
S0039 Net (Citation: Kaspersky Turla) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account
S1075 KOPILUWAK (Citation: Mandiant Suspected Turla Campaign February 2023) Web Protocols, Malicious File, Process Discovery, Network Share Discovery, System Network Configuration Discovery, Exfiltration Over C2 Channel, System Information Discovery, System Network Connections Discovery, Spearphishing Attachment, Data from Local System, Local Data Staging, JavaScript, System Owner/User Discovery
S0160 certutil (Citation: Symantec Waterbug Jun 2019) (Citation: TechNet Certutil) Archive via Utility, Install Root Certificate, Deobfuscate/Decode Files or Information, Ingress Tool Transfer
S0668 TinyTurla (Citation: Talos TinyTurla September 2021) Asymmetric Cryptography, Native API, Match Legitimate Name or Location, Service Execution, Modify Registry, Windows Command Shell, Ingress Tool Transfer, Fileless Storage, Masquerade Task or Service, Scheduled Transfer, Query Registry, Fallback Channels, Data from Local System, Web Protocols
S0537 HyperStack (Citation: Accenture HyperStack October 2020) Default Accounts, Native API, Inter-Process Communication, Modify Registry, Symmetric Cryptography, Local Account
S0057 Tasklist (Citation: Kaspersky Turla) (Citation: Microsoft Tasklist) Process Discovery, System Service Discovery, Security Software Discovery
S0099 Arp (Citation: Kaspersky Turla) (Citation: TechNet Arp) Remote System Discovery, System Network Configuration Discovery
S0363 Empire (Citation: EmPyre) (Citation: ESET Crutch December 2020) (Citation: ESET Turla August 2018) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Command Obfuscation, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Information Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S0104 netstat (Citation: Kaspersky Turla) (Citation: TechNet Netstat) System Network Connections Discovery
S0265 Kazuar (Citation: Talos TinyTurla September 2021) (Citation: Unit 42 Kazuar May 2017) Registry Run Keys / Startup Folder, Ingress Tool Transfer, Data Destruction, File Deletion, Obfuscated Files or Information, Standard Encoding, Process Discovery, File and Directory Discovery, System Owner/User Discovery, Internal Proxy, Local Groups, Video Capture, Unix Shell, Dynamic-link Library Injection, File Transfer Protocols, Windows Service, System Information Discovery, Bidirectional Communication, Fallback Channels, Web Protocols, Application Window Discovery, Screen Capture, Scheduled Transfer, Local Account, Local Data Staging, Data from Local System, System Network Configuration Discovery, Windows Management Instrumentation, Shortcut Modification, Windows Command Shell
S1143 LunarLoader (Citation: ESET Turla Lunar toolset May 2024) System Network Configuration Discovery, Execution Guardrails, Deobfuscate/Decode Files or Information, Add-ins, Reflective Code Loading
S0091 Epic (Citation: Kaspersky Turla) (Citation: Secureworks IRON HUNTER Profile) (Citation: TadjMakhal) (Citation: Tavdig) (Citation: Wipbot) (Citation: WorldCupSec) Query Registry, Process Discovery, Web Protocols, System Owner/User Discovery, System Time Discovery, File and Directory Discovery, File Deletion, System Information Discovery, System Network Connections Discovery, Remote System Discovery, Archive via Library, Extra Window Memory Injection, Code Signing, Local Account, Archive Collected Data, Local Groups, Symmetric Cryptography, System Network Configuration Discovery, System Service Discovery, Security Software Discovery, Obfuscated Files or Information
S0395 LightNeuron (Citation: ESET LightNeuron May 2019) (Citation: Secureworks IRON HUNTER Profile) File Deletion, Mail Protocols, Scheduled Transfer, Automated Exfiltration, Exfiltration Over C2 Channel, Encrypted/Encoded File, Steganography, Deobfuscate/Decode Files or Information, Archive Collected Data, Match Legitimate Name or Location, Remote Email Collection, System Information Discovery, Ingress Tool Transfer, Automated Collection, Symmetric Cryptography, Local Data Staging, Windows Command Shell, Data from Local System, Transmitted Data Manipulation, System Network Configuration Discovery, Native API, Transport Agent
S0168 Gazer (Citation: ESET Crutch December 2020) (Citation: ESET Gazer Aug 2017) (Citation: Securelist WhiteBear Aug 2017) (Citation: WhiteBear) Winlogon Helper DLL, Timestomp, Asymmetric Cryptography, Registry Run Keys / Startup Folder, Web Protocols, Shortcut Modification, File Deletion, Thread Execution Hijacking, Process Injection, Ingress Tool Transfer, Symmetric Cryptography, Screensaver, Code Signing, System Owner/User Discovery, NTFS File Attributes, Encrypted/Encoded File, Scheduled Task, Mutual Exclusion
S0096 Systeminfo (Citation: ESET Turla Lunar toolset May 2024) (Citation: Kaspersky Turla) (Citation: TechNet Systeminfo) System Information Discovery
S0022 Uroburos (Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023) (Citation: Kaspersky Turla) (Citation: Snake) Asymmetric Cryptography, Reflective Code Loading, Native API, Data from Local System, Software Packing, Non-Application Layer Protocol, Mail Protocols, Junk Data, Symmetric Cryptography, Web Protocols, Multi-hop Proxy, Windows Command Shell, Hidden File System, Fileless Storage, Modify Registry, Masquerade Task or Service, Non-Standard Encoding, Query Registry, Inter-Process Communication, System Information Discovery, Multi-Stage Channels, Protocol or Service Impersonation, Fallback Channels, Windows Service, Ingress Tool Transfer, Protocol Tunneling, Deobfuscate/Decode Files or Information, Dynamic-link Library Injection, Traffic Signaling, Process Discovery, Rootkit, Encrypted/Encoded File, File Deletion, DNS, File and Directory Discovery, Embedded Payloads
S0538 Crutch (Citation: ESET Crutch December 2020) (Citation: Talos TinyTurla September 2021) Archive via Utility, Peripheral Device Discovery, Bidirectional Communication, Web Protocols, Scheduled Task, Exfiltration to Cloud Storage, Data from Removable Media, Masquerade Task or Service, DLL Search Order Hijacking, Automated Exfiltration, Automated Collection, Data from Local System, Fallback Channels, Local Data Staging, Exfiltration Over C2 Channel
S0256 Mosquito (Citation: ESET Turla Mosquito Jan 2018) (Citation: ESET Turla Mosquito May 2018) (Citation: Secureworks IRON HUNTER Profile) Windows Management Instrumentation, System Owner/User Discovery, Rundll32, File Deletion, Symmetric Cryptography, Security Software Discovery, PowerShell, Modify Registry, Ingress Tool Transfer, Component Object Model Hijacking, Encrypted/Encoded File, Process Discovery, System Network Configuration Discovery, Windows Command Shell, Registry Run Keys / Startup Folder, Native API, Fileless Storage
S1142 LunarMail (Citation: ESET Turla Lunar toolset May 2024) Local Email Collection, Clear Mailbox Data, Exfiltration Over C2 Channel, Deobfuscate/Decode Files or Information, Malicious File, Encrypted/Encoded File, File and Directory Discovery, Visual Basic, File Deletion, System Information Discovery, Non-Application Layer Protocol, Steganography, Screen Capture, Create or Modify System Process, Mail Protocols, Add-ins, Local Data Staging
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: ESET Turla Mosquito May 2018) (Citation: Symantec Waterbug Jun 2019) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0581 IronNetInjector (Citation: Unit 42 IronNetInjector February 2021 ) Python, Process Discovery, Process Injection, Masquerade Task or Service, Scheduled Task, Deobfuscate/Decode Files or Information, Dynamic-link Library Injection, Encrypted/Encoded File
S0102 nbtstat (Citation: Kaspersky Turla) (Citation: TechNet Nbtstat) System Network Configuration Discovery, System Network Connections Discovery
S0590 NBTscan (Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Waterbug Jun 2019) System Owner/User Discovery, System Network Configuration Discovery, Network Sniffing, Network Service Discovery, Remote System Discovery
S0335 Carbon (Citation: ESET Carbon Mar 2017) (Citation: Securelist Turla Oct 2018) (Citation: Secureworks IRON HUNTER Profile) Scheduled Task, Web Service, Commonly Used Port, System Network Connections Discovery, Query Registry, Permission Groups Discovery, System Time Discovery, System Network Configuration Discovery, Local Data Staging, Windows Service, Asymmetric Cryptography, Deobfuscate/Decode Files or Information, Exfiltration Over Unencrypted Non-C2 Protocol, Remote System Discovery, Web Protocols, Obfuscated Files or Information, Non-Application Layer Protocol, Dynamic-link Library Injection, Process Discovery
S0075 Reg (Citation: Kaspersky Turla) (Citation: Microsoft Reg) (Citation: Windows Commands JPCERT) Credentials in Registry, Query Registry, Modify Registry
S0587 Penquin (Citation: Kaspersky Turla Penquin December 2014) (Citation: Leonardo Turla Penquin May 2020) (Citation: Penquin 2.0) (Citation: Penquin_x64) Unix Shell, System Network Configuration Discovery, Traffic Signaling, Match Legitimate Name or Location, Ingress Tool Transfer, Cron, Network Sniffing, Asymmetric Cryptography, Indicator Removal from Tools, Linux and Mac File and Directory Permissions Modification, Exfiltration Over C2 Channel, Socket Filters, Non-Application Layer Protocol, File and Directory Discovery, System Information Discovery, File Deletion, Encrypted/Encoded File
S0126 ComRAT (Citation: ESET ComRAT May 2020) (Citation: NorthSec 2015 GData Uroburos Tools) (Citation: Secureworks IRON HUNTER Profile) (Citation: Symantec Waterbug) (Citation: Unit 42 IronNetInjector February 2021 ) Mail Protocols, Hidden File System, Web Protocols, Scheduled Task, Asymmetric Cryptography, Software Discovery, Dynamic-link Library Injection, Obfuscated Files or Information, Fileless Storage, Command Obfuscation, Scheduled Transfer, Component Object Model Hijacking, Bidirectional Communication, Native API, Windows Command Shell, Deobfuscate/Decode Files or Information, Query Registry, PowerShell, Modify Registry, System Time Discovery, Embedded Payloads, Masquerade Task or Service
S0393 PowerStallion (Citation: ESET Turla PowerShell May 2019) Bidirectional Communication, Obfuscated Files or Information, PowerShell, Timestomp, Process Discovery
S1141 LunarWeb (Citation: ESET Turla Lunar toolset May 2024) Group Policy Discovery, Steganography, Windows Command Shell, System Information Discovery, PowerShell, Asymmetric Cryptography, Multi-Stage Channels, Archive via Library, Time Based Evasion, Protocol Tunneling, File and Directory Discovery, Network Share Discovery, Symmetric Cryptography, Software Discovery, Archive via Utility, System Network Configuration Discovery, Deobfuscate/Decode Files or Information, File Deletion, System Network Connections Discovery, Web Protocols, Encrypted/Encoded File, Process Discovery, Windows Management Instrumentation, Local Groups, Proxy, Data Transfer Size Limits, Inter-Process Communication, Standard Encoding, System Owner/User Discovery, Security Software Discovery
S0029 PsExec (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: Symantec Waterbug Jun 2019) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved September 16, 2024.
  2. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  3. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  4. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  5. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  6. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  7. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  8. Rapid7. (2013, November 26). meterpreter/source/extensions/priv/server/elevate/. Retrieved July 8, 2018.
  9. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  10. Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.
  11. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
  12. Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022.
  13. Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
  14. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  15. ESET. (2018, August). Turla Outlook Backdoor: Analysis of an unusual Turla backdoor. Retrieved March 11, 2019.
  16. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  17. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  18. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  19. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  20. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  21. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  22. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  23. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  24. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  25. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  26. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  27. Meyers, A. (2018, March 12). Meet CrowdStrike’s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018.
  28. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.