1. Home
  2. Groups
  3. Turla

Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]

ID: G0010
Associated Groups: IRON HUNTER, Group 88, Waterbug, WhiteBear, Snake, Krypton, Venomous Bear, Secret Blizzard, BELUGASTURGEON
Contributors: Matthieu Faou, ESET; Edward Millington
Version: 5.1
Created: 31 May 2017
Last Modified: 26 June 2024
Version Permalink

Associated Group Descriptions

Name Description
IRON HUNTER

[6]
Group 88

[7]
Waterbug

Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.[8]
WhiteBear

WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.[9][10]
Snake

[3][11][10]
Krypton

[3]
Venomous Bear

[3][10]
Secret Blizzard

[12]
BELUGASTURGEON

[13]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1134 .002 Access Token Manipulation: Create Process with Token

Turla RPC backdoors can impersonate or steal process tokens before executing commands.[11]

Enterprise T1087 .001 Account Discovery: Local Account

Turla has used net user to enumerate local accounts on the system.[14][15]
.002 Account Discovery: Domain Account

Turla has used net user /domain to enumerate domain accounts.[14]
Enterprise T1583 .006 Acquire Infrastructure: Web Services

Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration.[15]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Turla has used HTTP and HTTPS for C2 communications.[4][16]
.003 Application Layer Protocol: Mail Protocols

Turla has used multiple backdoors which communicate with a C2 server via email attachments.[17]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.[18]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

A Turla Javascript backdoor added a local_update_check value under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.[4][16][19]
.004 Boot or Logon Autostart Execution: Winlogon Helper DLL

Turla established persistence by adding a Shell value under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.[4]
Enterprise T1110 Brute Force

Turla may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Turla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from Empire's PSInject.[16][11][18] Turla has also used PowerShell scripts to load and execute malware in memory.
.003 Command and Scripting Interpreter: Windows Command Shell

Turla RPC backdoors have used cmd.exe to execute commands.[11][18]
.005 Command and Scripting Interpreter: Visual Basic

Turla has used VBS scripts throughout its operations.[18]

.006 Command and Scripting Interpreter: Python

Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads.[20]
.007 Command and Scripting Interpreter: JavaScript

Turla has used various JavaScript-based backdoors.[4]

Enterprise T1584 .003 Compromise Infrastructure: Virtual Private Server

Turla has used the VPS infrastructure of compromised Iranian threat actors.[21]
.004 Compromise Infrastructure: Server

Turla has used compromised servers as infrastructure.[22][13][10]
.006 Compromise Infrastructure: Web Services

Turla has frequently used compromised WordPress sites for C2 infrastructure.[22]
Enterprise T1555 .004 Credentials from Password Stores: Windows Credential Manager

Turla has gathered credentials from the Windows Credential Manager tool.[18]

Enterprise T1213 Data from Information Repositories

Turla has used a custom .NET tool to collect documents from an organization's internal central database.[14]
Enterprise T1005 Data from Local System

Turla RPC backdoors can upload files from victim machines.[11]
Enterprise T1025 Data from Removable Media

Turla RPC backdoors can collect files from USB thumb drives.[11][18]
Enterprise T1140 Deobfuscate/Decode Files or Information

Turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile, to decode encrypted PowerShell payloads.[11]
Enterprise T1587 .001 Develop Capabilities: Malware

Turla has developed its own unique malware for use in operations.[22]
Enterprise T1189 Drive-by Compromise

Turla has infected victims using watering holes.[14][6]
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Turla has used WMI event filters and consumers to establish persistence.[11]
.013 Event Triggered Execution: PowerShell Profile

Turla has used PowerShell profiles to maintain persistence on an infected machine.[11]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Turla has used WebDAV to upload stolen USB files to a cloud drive.[18] Turla has also exfiltrated stolen files to OneDrive and 4shared.[14]
Enterprise T1068 Exploitation for Privilege Escalation

Turla has exploited vulnerabilities in the VBoxDrv.sys driver to obtain kernel mode privileges.[23]
Enterprise T1083 File and Directory Discovery

Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent.[1][14] Turla RPC backdoors have also searched for files matching the lPH*.dll pattern.[11]
Enterprise T1615 Group Policy Discovery

Turla surveys a system upon check-in to discover Group Policy details using the gpresult command.[14]
Enterprise T1564 .012 Hide Artifacts: File/Path Exclusions

Turla has placed LunarWeb install files into directories that are excluded from scanning.[19]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.[11]
Enterprise T1105 Ingress Tool Transfer

Turla has used shellcode to download Meterpreter after compromising a victim.[16]
Enterprise T1570 Lateral Tool Transfer

Turla RPC backdoors can be used to transfer files to/from victim machines on the local network.[11][18]
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

Turla has named components of LunarWeb to mimic Zabbix agent logs.[19]
Enterprise T1112 Modify Registry

Turla has modified Registry values to store payloads.[11][18]
Enterprise T1106 Native API

Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes.[11]
Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

Based on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.[2]
.010 Obfuscated Files or Information: Command Obfuscation

Turla has used encryption (including salted 3DES via PowerSploit's Out-EncryptedScript.ps1), random variable names, and base64 encoding to obfuscate PowerShell commands and payloads.[11]
.011 Obfuscated Files or Information: Fileless Storage

Turla has used the Registry to store encrypted and encoded payloads.[11][18]
Enterprise T1588 .001 Obtain Capabilities: Malware

Turla has used malware obtained after compromising other threat actors, such as OilRig.[21][22]
.002 Obtain Capabilities: Tool

Turla has obtained and customized publicly-available tools like Mimikatz.[18]
Enterprise T1201 Password Policy Discovery

Turla has used net accounts and net accounts /domain to acquire password policy information.[14]
Enterprise T1120 Peripheral Device Discovery

Turla has used fsutil fsinfo drives to list connected drives.[14]
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Turla has used net localgroup and net localgroup Administrators to enumerate group information, including members of the local administrators group.[14]
.002 Permission Groups Discovery: Domain Groups

Turla has used net group "Domain Admins" /domain to identify domain administrators.[14]
Enterprise T1566 .002 Phishing: Spearphishing Link

Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.[4]
Enterprise T1057 Process Discovery

Turla surveys a system upon check-in to discover running processes using the tasklist /v command.[1] Turla RPC backdoors have also enumerated processes associated with specific open ports or named pipes.[11]
Enterprise T1055 Process Injection

Turla has also used PowerSploit's Invoke-ReflectivePEInjection.ps1 to reflectively load a PowerShell payload into a random process on the victim system.[11]
.001 Dynamic-link Library Injection

Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges.[16][24]
Enterprise T1090 Proxy

Turla RPC backdoors have included local UPnP RPC proxies.[11]

.001 Internal Proxy

Turla has compromised internal network systems to act as a proxy to forward traffic to C2.[10]
Enterprise T1012 Query Registry

Turla surveys a system upon check-in to discover information in the Windows Registry with the reg query command.[1] Turla has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes .[11]
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Turla used net use commands to connect to lateral systems within a network.[1]
Enterprise T1018 Remote System Discovery

Turla surveys a system upon check-in to discover remote systems on a local network using the net view and net view /DOMAIN commands. Turla has also used net group "Domain Computers" /domain, net group "Domain Controllers" /domain, and net group "Exchange Servers" /domain to enumerate domain computers, including the organization's DC and Exchange Server.[1][14]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected.[14]
Enterprise T1553 .006 Subvert Trust Controls: Code Signing Policy Modification

Turla has modified variables in kernel memory to turn off Driver Signature Enforcement after exploiting vulnerabilities that obtained kernel mode privileges.[23][25]
Enterprise T1082 System Information Discovery

Turla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.[1][14]
Enterprise T1016 System Network Configuration Discovery

Turla surveys a system upon check-in to discover network configuration details using the arp -a, nbtstat -n, net config, ipconfig /all, and route commands, as well as NBTscan.[1][18][14] Turla RPC backdoors have also retrieved registered RPC interface information from process memory.[11]
.001 Internet Connection Discovery

Turla has used tracert to check internet connectivity.[14]
Enterprise T1049 System Network Connections Discovery

Turla surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands.[1][14] Turla RPC backdoors have also enumerated the IPv4 TCP connection table via the GetTcpTable2 API call.[11]
Enterprise T1007 System Service Discovery

Turla surveys a system upon check-in to discover running services and associated processes using the tasklist /svc command.[1]
Enterprise T1124 System Time Discovery

Turla surveys a system upon check-in to discover the system time by using the net time command.[1]
Enterprise T1204 .001 User Execution: Malicious Link

Turla has used spearphishing via a link to get users to download and run their malware.[4]
Enterprise T1078 .003 Valid Accounts: Local Accounts

Turla has abused local accounts that have the same password across the victim’s network.[15]
Enterprise T1102 Web Service

Turla has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications.[13][15]
.002 Bidirectional Communication

A Turla JavaScript backdoor has used Google Apps Script as its C2 server.[4][16]

Software

ID Name References Techniques
S0099 Arp [1] Remote System Discovery, System Network Configuration Discovery
S0335 Carbon [26][6] Application Layer Protocol: Web Protocols, Create or Modify System Process: Windows Service, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Non-Application Layer Protocol, Obfuscated Files or Information, Permission Groups Discovery, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Remote System Discovery, Scheduled Task/Job: Scheduled Task, System Network Configuration Discovery, System Network Connections Discovery, System Time Discovery, Web Service
S0160 certutil [18] Archive Collected Data: Archive via Utility, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Subvert Trust Controls: Install Root Certificate
S0126 ComRAT [8][20][6] Application Layer Protocol: Mail Protocols, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Component Object Model Hijacking, Hide Artifacts: Hidden File System, Masquerading: Masquerade Task or Service, Modify Registry, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Fileless Storage, Obfuscated Files or Information: Command Obfuscation, Obfuscated Files or Information: Embedded Payloads, Process Injection: Dynamic-link Library Injection, Query Registry, Scheduled Task/Job: Scheduled Task, Scheduled Transfer, Software Discovery, System Time Discovery, Web Service: Bidirectional Communication
S0538 Crutch [15][10] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Automated Collection, Automated Exfiltration, Data from Local System, Data from Removable Media, Data Staged: Local Data Staging, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Fallback Channels, Hijack Execution Flow: DLL, Masquerading: Masquerade Task or Service, Peripheral Device Discovery, Scheduled Task/Job: Scheduled Task, Web Service: Bidirectional Communication
S0363 Empire [27][15] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain or Tenant Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0091 Epic [1][6] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Library, Archive Collected Data, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal: File Deletion, Obfuscated Files or Information, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Extra Window Memory Injection, Query Registry, Remote System Discovery, Software Discovery: Security Software Discovery, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Service Discovery, System Time Discovery
S0168 Gazer [2] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Winlogon Helper DLL, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Event Triggered Execution: Screensaver, Execution Guardrails: Mutual Exclusion, Hide Artifacts: NTFS File Attributes, Indicator Removal: Timestomp, Indicator Removal: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information: Encrypted/Encoded File, Process Injection: Thread Execution Hijacking, Process Injection, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, System Owner/User Discovery
S0537 HyperStack [13] Account Discovery: Local Account, Encrypted Channel: Symmetric Cryptography, Inter-Process Communication, Modify Registry, Native API, Valid Accounts: Default Accounts
S0581 IronNetInjector [20] Command and Scripting Interpreter: Python, Deobfuscate/Decode Files or Information, Masquerading: Masquerade Task or Service, Obfuscated Files or Information: Encrypted/Encoded File, Process Discovery, Process Injection, Process Injection: Dynamic-link Library Injection, Scheduled Task/Job: Scheduled Task
S0265 Kazuar [28][10] Account Discovery: Local Account, Application Layer Protocol: File Transfer Protocols, Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Command and Scripting Interpreter: Unix Shell, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Destruction, Data Encoding: Standard Encoding, Data from Local System, Data Staged: Local Data Staging, Fallback Channels, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy: Internal Proxy, Scheduled Transfer, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S1075 KOPILUWAK [29] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: JavaScript, Data from Local System, Data Staged: Local Data Staging, Exfiltration Over C2 Channel, Network Share Discovery, Phishing: Spearphishing Attachment, Process Discovery, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, User Execution: Malicious File
S0395 LightNeuron [30][6] Application Layer Protocol: Mail Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Data Manipulation: Transmitted Data Manipulation, Data Obfuscation: Steganography, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Email Collection: Remote Email Collection, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Resource Name or Location, Native API, Obfuscated Files or Information: Encrypted/Encoded File, Scheduled Transfer, Server Software Component: Transport Agent, System Information Discovery, System Network Configuration Discovery
S1143 LunarLoader [19] Deobfuscate/Decode Files or Information, Execution Guardrails, Office Application Startup: Add-ins, Reflective Code Loading, System Network Configuration Discovery
S1142 LunarMail [19] Application Layer Protocol: Mail Protocols, Command and Scripting Interpreter: Visual Basic, Create or Modify System Process, Data Obfuscation: Steganography, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Email Collection: Local Email Collection, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal: Clear Mailbox Data, Indicator Removal: File Deletion, Non-Application Layer Protocol, Obfuscated Files or Information: Encrypted/Encoded File, Office Application Startup: Add-ins, Screen Capture, System Information Discovery, User Execution: Malicious File
S1141 LunarWeb [19] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Library, Archive Collected Data: Archive via Utility, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data Encoding: Standard Encoding, Data Obfuscation: Steganography, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Group Policy Discovery, Indicator Removal: File Deletion, Inter-Process Communication, Multi-Stage Channels, Network Share Discovery, Obfuscated Files or Information: Encrypted/Encoded File, Permission Groups Discovery: Local Groups, Process Discovery, Protocol Tunneling, Proxy, Software Discovery, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, Virtualization/Sandbox Evasion: Time Based Evasion, Windows Management Instrumentation
S0002 Mimikatz [16][18] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0256 Mosquito [4][16][6] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Symmetric Cryptography, Event Triggered Execution: Component Object Model Hijacking, Indicator Removal: File Deletion, Ingress Tool Transfer, Modify Registry, Native API, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Fileless Storage, Process Discovery, Software Discovery: Security Software Discovery, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Owner/User Discovery, Windows Management Instrumentation
S0590 NBTscan [18] Network Service Discovery, Network Sniffing, Remote System Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0102 nbtstat [1] System Network Configuration Discovery, System Network Connections Discovery
S0039 Net [1] Account Discovery: Domain Account, Account Discovery: Local Account, Account Manipulation: Additional Local or Domain Groups, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0104 netstat [1] System Network Connections Discovery
S0587 Penquin [7] Command and Scripting Interpreter: Unix Shell, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Resource Name or Location, Network Sniffing, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information: Encrypted/Encoded File, Scheduled Task/Job: Cron, System Information Discovery, System Network Configuration Discovery, Traffic Signaling, Traffic Signaling: Socket Filters
S0393 PowerStallion [11] Command and Scripting Interpreter: PowerShell, Indicator Removal: Timestomp, Obfuscated Files or Information, Process Discovery, Web Service: Bidirectional Communication
S0029 PsExec [18] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0075 Reg [1] Modify Registry, Query Registry, Unsecured Credentials: Credentials in Registry
S0096 Systeminfo [1][19] System Information Discovery
S0057 Tasklist [1] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery
S0668 TinyTurla [10] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Encrypted Channel: Asymmetric Cryptography, Fallback Channels, Ingress Tool Transfer, Masquerading: Match Legitimate Resource Name or Location, Masquerading: Masquerade Task or Service, Modify Registry, Native API, Obfuscated Files or Information: Fileless Storage, Query Registry, Scheduled Transfer, System Services: Service Execution
S0022 Uroburos [1][5] Application Layer Protocol: Mail Protocols, Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Non-Standard Encoding, Data from Local System, Data Obfuscation: Junk Data, Data Obfuscation: Protocol or Service Impersonation, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Hide Artifacts: Hidden File System, Indicator Removal: File Deletion, Ingress Tool Transfer, Inter-Process Communication, Masquerading: Masquerade Task or Service, Modify Registry, Multi-Stage Channels, Native API, Non-Application Layer Protocol, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information: Fileless Storage, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Embedded Payloads, Process Discovery, Process Injection: Dynamic-link Library Injection, Protocol Tunneling, Proxy: Multi-hop Proxy, Query Registry, Reflective Code Loading, Rootkit, System Information Discovery, Traffic Signaling

References

  1. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  2. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  3. Meyers, A. (2018, March 12). Meet CrowdStrike’s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018.
  4. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  5. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  6. Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022.
  7. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  8. Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
  9. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  10. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  11. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  12. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  13. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  14. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  15. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  1. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  2. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  3. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  4. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  5. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
  6. NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020.
  7. Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved September 16, 2024.
  8. Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.
  9. Rapid7. (2013, November 26). meterpreter/source/extensions/priv/server/elevate/. Retrieved July 8, 2018.
  10. TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021.
  11. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  12. ESET. (2018, August). Turla Outlook Backdoor: Analysis of an unusual Turla backdoor. Retrieved March 11, 2019.
  13. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  14. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  15. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.