Turla

Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. Turla is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. Turla’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.[1][2][3][4]

ID: G0010
Associated Groups: Group 88, Belugasturgeon, Waterbug, WhiteBear, VENOMOUS BEAR, Snake, Krypton
Contributors: Matthieu Faou, ESET; Edward Millington
Version: 2.0
Created: 31 May 2017
Last Modified: 26 April 2021

Associated Group Descriptions

Name Description
Group 88

[5]

Belugasturgeon

[6]

Waterbug

Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.[7]

WhiteBear

WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.[8]

VENOMOUS BEAR

[3]

Snake

[3][9]

Krypton

[3]

Techniques Used

Domain ID Name Use
Enterprise T1134 .002 Access Token Manipulation: Create Process with Token

Turla RPC backdoors can impersonate or steal process tokens before executing commands.[9]

Enterprise T1087 .001 Account Discovery: Local Account

Turla has used net user to enumerate local accounts on the system.[10][11]

.002 Account Discovery: Domain Account

Turla has used net user /domain to enumerate domain accounts.[10]

Enterprise T1583 .006 Acquire Infrastructure: Web Services

Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration.[11]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Turla has used HTTP and HTTPS for C2 communications.[4][12]

.003 Application Layer Protocol: Mail Protocols

Turla has used multiple backdoors which communicate with a C2 server via email attachments.[13]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.[14]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

A Turla Javascript backdoor added a local_update_check value under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.[4][12]

.004 Boot or Logon Autostart Execution: Winlogon Helper DLL

Turla established persistence by adding a Shell value under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.[4]

Enterprise T1110 Brute Force

Turla may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Turla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from Empire's PSInject.[12][9][14] Turla has also used PowerShell scripts to load and execute malware in memory.

.003 Command and Scripting Interpreter: Windows Command Shell

Turla RPC backdoors have used cmd.exe to execute commands.[9][14]

.005 Command and Scripting Interpreter: Visual Basic

Turla has used VBS scripts throughout its operations.[14]

.006 Command and Scripting Interpreter: Python

Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads.[15]

.007 Command and Scripting Interpreter: JavaScript

Turla has used various JavaScript-based backdoors.[4]

Enterprise T1584 .003 Compromise Infrastructure: Virtual Private Server

Turla has used the VPS infrastructure of compromised Iranian threat actors.[16]

.004 Compromise Infrastructure: Server

Turla has used compromised servers as infrastructure.[17][6]

.006 Compromise Infrastructure: Web Services

Turla has frequently used compromised WordPress sites for C2 infrastructure.[17]

Enterprise T1555 .004 Credentials from Password Stores: Windows Credential Manager

Turla has gathered credentials from the Windows Credential Manager tool.[14]

Enterprise T1213 Data from Information Repositories

Turla has used a custom .NET tool to collect documents from an organization's internal central database.[10]

Enterprise T1005 Data from Local System

Turla RPC backdoors can upload files from victim machines.[9]

Enterprise T1025 Data from Removable Media

Turla RPC backdoors can collect files from USB thumb drives.[9][14]

Enterprise T1140 Deobfuscate/Decode Files or Information

Turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile, to decode encrypted PowerShell payloads.[9]

Enterprise T1587 .001 Develop Capabilities: Malware

Turla has developed its own unique malware for use in operations.[17]

Enterprise T1189 Drive-by Compromise

Turla has infected victims using watering holes.[10]

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Turla has used WMI event filters and consumers to establish persistence.[9]

.013 Event Triggered Execution: PowerShell Profile

Turla has used PowerShell profiles to maintain persistence on an infected machine.[9]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Turla has used WebDAV to upload stolen USB files to a cloud drive.[14] Turla has also exfiltrated stolen files to OneDrive and 4shared.[10]

Enterprise T1068 Exploitation for Privilege Escalation

Turla has exploited vulnerabilities in the VBoxDrv.sys driver to obtain kernel mode privileges.[18]

Enterprise T1083 File and Directory Discovery

Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent.[1][10] Turla RPC backdoors have also searched for files matching the lPH*.dll pattern.[9]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.[9]

Enterprise T1105 Ingress Tool Transfer

Turla has used shellcode to download Meterpreter after compromising a victim.[12]

Enterprise T1570 Lateral Tool Transfer

Turla RPC backdoors can be used to transfer files to/from victim machines on the local network.[9][14]

Enterprise T1112 Modify Registry

Turla has used the Registry to store encrypted payloads.[9][14]

Enterprise T1106 Native API

Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes.[9]

Enterprise T1027 Obfuscated Files or Information

Turla has used encryption (including salted 3DES via PowerSploit's Out-EncryptedScript.ps1), random variable names, and base64 encoding to obfuscate PowerShell commands and payloads.[9]

.005 Indicator Removal from Tools

Based on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.[2]

Enterprise T1588 .001 Obtain Capabilities: Malware

Turla has used malware obtained after compromising other threat actors, such as OilRig.[16][17]

Enterprise T1201 Password Policy Discovery

Turla has used net accounts and net accounts /domain to acquire password policy information.[10]

Enterprise T1120 Peripheral Device Discovery

Turla has used fsutil fsinfo drives to list connected drives.[10]

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Turla has used net localgroup and net localgroup Administrators to enumerate group information, including members of the local administrators group.[10]

.002 Permission Groups Discovery: Domain Groups

Turla has used net group "Domain Admins" /domain to identify domain administrators.[10]

Enterprise T1566 .002 Phishing: Spearphishing Link

Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.[4]

Enterprise T1057 Process Discovery

Turla surveys a system upon check-in to discover running processes using the tasklist /v command.[1] Turla RPC backdoors have also enumerated processes associated with specific open ports or named pipes.[9]

Enterprise T1055 Process Injection

Turla has also used PowerSploit's Invoke-ReflectivePEInjection.ps1 to reflectively load a PowerShell payload into a random process on the victim system.[9]

.001 Dynamic-link Library Injection

Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges.[12][19]

Enterprise T1090 Proxy

Turla RPC backdoors have included local UPnP RPC proxies.[9]

Enterprise T1012 Query Registry

Turla surveys a system upon check-in to discover information in the Windows Registry with the reg query command.[1] Turla has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes .[9]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Turla used net use commands to connect to lateral systems within a network.[1]

Enterprise T1018 Remote System Discovery

Turla surveys a system upon check-in to discover remote systems on a local network using the net view and net view /DOMAIN commands. Turla has also used net group "Domain Computers" /domain, net group "Domain Controllers" /domain, and net group "Exchange Servers" /domain to enumerate domain computers, including the organization's DC and Exchange Server.[1][10]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected.[10]

Enterprise T1553 .006 Subvert Trust Controls: Code Signing Policy Modification

Turla has modified variables in kernel memory to turn off Driver Signature Enforcement after exploiting vulnerabilities that obtained kernel mode privileges.[18][20]

Enterprise T1082 System Information Discovery

Turla surveys a system upon check-in to discover operating system configuration details using the systeminfo, gpresult, and set commands.[1][10]

Enterprise T1016 System Network Configuration Discovery

Turla surveys a system upon check-in to discover network configuration details using the arp -a, nbtstat -n, net config, ipconfig /all, and route commands, as well as NBTscan.[1][14][10] Turla RPC backdoors have also retrieved registered RPC interface information from process memory.[9]

.001 Internet Connection Discovery

Turla has used tracert to check internet connectivity.[10]

Enterprise T1049 System Network Connections Discovery

Turla surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands.[1][10] Turla RPC backdoors have also enumerated the IPv4 TCP connection table via the GetTcpTable2 API call.[9]

Enterprise T1007 System Service Discovery

Turla surveys a system upon check-in to discover running services and associated processes using the tasklist /svc command.[1]

Enterprise T1124 System Time Discovery

Turla surveys a system upon check-in to discover the system time by using the net time command.[1]

Enterprise T1204 .001 User Execution: Malicious Link

Turla has used spearphishing via a link to get users to download and run their malware.[4]

Enterprise T1078 .003 Valid Accounts: Local Accounts

Turla has abused local accounts that have the same password across the victim’s network.[11]

Enterprise T1102 Web Service

Turla has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications.[6][11]

.002 Bidirectional Communication

A Turla JavaScript backdoor has used Google Apps Script as its C2 server.[4][12]

Software

ID Name References Techniques
S0099 Arp [1] System Network Configuration Discovery
S0335 Carbon [21] Application Layer Protocol: Web Protocols, Commonly Used Port, Create or Modify System Process: Windows Service, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Non-Application Layer Protocol, Obfuscated Files or Information, Permission Groups Discovery, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Remote System Discovery, Scheduled Task/Job: Scheduled Task, System Network Configuration Discovery, System Network Connections Discovery, System Time Discovery, Web Service
S0160 certutil [14] Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Subvert Trust Controls: Install Root Certificate
S0126 ComRAT [7][15] Application Layer Protocol: Web Protocols, Application Layer Protocol: Mail Protocols, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Component Object Model Hijacking, Hide Artifacts: Hidden File System, Masquerading: Masquerade Task or Service, Modify Registry, Native API, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Query Registry, Scheduled Task/Job: Scheduled Task, Scheduled Transfer, Software Discovery, System Time Discovery, Web Service: Bidirectional Communication
S0538 Crutch [11] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Automated Collection, Automated Exfiltration, Data from Local System, Data from Removable Media, Data Staged: Local Data Staging, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Fallback Channels, Hijack Execution Flow: DLL Search Order Hijacking, Masquerading: Masquerade Task or Service, Peripheral Device Discovery, Scheduled Task/Job: Scheduled Task, Web Service: Bidirectional Communication
S0363 Empire [22][11] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Create Process with Token, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Account Discovery: Domain Account, Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exfiltration Over Web Service: Exfiltration to Code Repository, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Dylib Hijacking, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Native API, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0091 Epic [1] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Library, Archive Collected Data, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal on Host: File Deletion, Obfuscated Files or Information, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Extra Window Memory Injection, Query Registry, Remote System Discovery, Software Discovery: Security Software Discovery, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Service Discovery, System Time Discovery
S0168 Gazer [2] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Winlogon Helper DLL, Boot or Logon Autostart Execution: Shortcut Modification, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Event Triggered Execution: Screensaver, Hide Artifacts: NTFS File Attributes, Indicator Removal on Host: Timestomp, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Process Injection: Thread Execution Hijacking, Process Injection, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, System Owner/User Discovery
S0537 HyperStack [6] Account Discovery: Local Account, Encrypted Channel: Symmetric Cryptography, Inter-Process Communication, Modify Registry, Native API, Valid Accounts: Default Accounts
S0581 IronNetInjector [15] Command and Scripting Interpreter: Python, Deobfuscate/Decode Files or Information, Masquerading: Masquerade Task or Service, Obfuscated Files or Information, Process Discovery, Process Injection, Process Injection: Dynamic-link Library Injection, Scheduled Task/Job: Scheduled Task
S0265 Kazuar [23] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Unix Shell, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Destruction, Data Encoding: Standard Encoding, Data from Local System, Data Staged: Local Data Staging, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy: Internal Proxy, Scheduled Transfer, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0395 LightNeuron [24] Application Layer Protocol: Mail Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Data Manipulation: Transmitted Data Manipulation, Data Obfuscation: Steganography, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Email Collection: Remote Email Collection, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Native API, Obfuscated Files or Information, Scheduled Transfer, Server Software Component: Transport Agent, System Information Discovery, System Network Configuration Discovery
S0002 Mimikatz [12][14] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0256 Mosquito [4][12] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Encrypted Channel: Symmetric Cryptography, Event Triggered Execution: Component Object Model Hijacking, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Modify Registry, Native API, Obfuscated Files or Information, Process Discovery, Signed Binary Proxy Execution: Rundll32, Software Discovery: Security Software Discovery, System Network Configuration Discovery, System Owner/User Discovery, Windows Management Instrumentation
S0590 NBTscan [14] Network Service Scanning, Network Sniffing, Remote System Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0102 nbtstat [1] System Network Configuration Discovery, System Network Connections Discovery
S0039 Net [1] Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0104 netstat [1] System Network Connections Discovery
S0587 Penquin [5] Command and Scripting Interpreter: Unix Shell, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Network Sniffing, Non-Application Layer Protocol, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, Scheduled Task/Job: Cron, System Information Discovery, System Network Configuration Discovery, Traffic Signaling
S0393 PowerStallion [9] Command and Scripting Interpreter: PowerShell, Indicator Removal on Host: Timestomp, Obfuscated Files or Information, Process Discovery, Web Service: Bidirectional Communication
S0029 PsExec [14] Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0075 Reg [1] Modify Registry, Query Registry, Unsecured Credentials: Credentials in Registry
S0096 Systeminfo [1] System Information Discovery
S0057 Tasklist [1] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery
S0022 Uroburos [1] Obfuscated Files or Information: Software Packing, Rootkit

References