Epic
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| Tavdig | (Citation: Kaspersky Turla) |
| Wipbot | (Citation: Kaspersky Turla) |
| WorldCupSec | (Citation: Kaspersky Turla) |
| TadjMakhal | (Citation: Kaspersky Turla) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
Epic gathers a list of all user accounts, privilege classes, and time of last logon.(Citation: Kaspersky Turla Aug 2014) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Epic uses HTTP and HTTPS for C2 communications.(Citation: Kaspersky Turla)(Citation: Kaspersky Turla Aug 2014) |
| Enterprise | T1560 | .002 | Archive Collected Data: Archive via Library |
Epic compresses the collected data with bzip2 before sending it to the C2 server.(Citation: Kaspersky Turla Aug 2014) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Epic encrypts commands from the C2 server using a hardcoded key.(Citation: Kaspersky Turla) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Epic has a command to delete a file from the machine.(Citation: Kaspersky Turla Aug 2014) |
| Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
Epic gathers information on local group names.(Citation: Kaspersky Turla Aug 2014) |
| Enterprise | T1055 | .011 | Process Injection: Extra Window Memory Injection |
Epic has overwritten the function pointer in the extra window memory of Explorer's Shell_TrayWnd in order to execute malicious code in the context of the explorer.exe process.(Citation: ESET Recon Snake Nest) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Epic searches for anti-malware services running on the victim’s machine and terminates itself if it finds them.(Citation: Kaspersky Turla) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Turla has used valid digital certificates from Sysprint AG to sign its Epic dropper.(Citation: Kaspersky Turla) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0010 | Turla |
(Citation: Kaspersky Turla) (Citation: Secureworks IRON HUNTER Profile) |
References
- Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
- Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
- Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022.
- Boutin, J. and Faou, M. (2018). Visiting the snake nest. Retrieved May 7, 2019.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.