Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!
GROUPS
  1. Home
  2. Groups
  3. Turla

Turla

Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. Turla is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. Turla’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines. [1] [2] [3] [4]

ID: G0010
Aliases: Turla, Waterbug, WhiteBear, VENOMOUS BEAR, Snake, Krypton
Contributors: Edward Millington

Version: 1.0

Alias Descriptions

NameDescription
Turla[1]
WaterbugBased similarity in TTPs and malware used, Turla and Waterbug appear to be the same group. [7]
WhiteBearWhiteBear is a designation used by Securelist to describe a cluster of activity under broader G0010 activity. [8]
VENOMOUS BEAR[3]
Snake[3]
Krypton[3]

Techniques Used

DomainIDNameUse
EnterpriseT1110Brute ForceTurla may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords.[1]
EnterpriseT1083File and Directory DiscoveryTurla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, and in the Program Files directory.[1]
EnterpriseT1066Indicator Removal from ToolsBased on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.[2]
EnterpriseT1086PowerShellTurla has used a custom executable to execute PowerShell scripts.[5]
EnterpriseT1057Process DiscoveryTurla surveys a system upon check-in to discover running processes using the tasklist /v command.[1]
EnterpriseT1055Process InjectionTurla has used Metasploit to perform reflective DLL injection in order to escalate privileges.[5][6]
EnterpriseT1012Query RegistryTurla surveys a system upon check-in to discover information in the Windows Registry with the reg query command.[1]
EnterpriseT1060Registry Run Keys / Startup FolderA Turla Javascript backdoor added a local_update_check value under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.[4][5]
EnterpriseT1105Remote File CopyTurla has used shellcode to download Meterpreter after compromising a victim.[5]
EnterpriseT1018Remote System DiscoveryTurla surveys a system upon check-in to discover remote systems on a local network using the net view and net view /DOMAIN commands.[1]
EnterpriseT1192Spearphishing LinkTurla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.[4]
EnterpriseT1071Standard Application Layer ProtocolTurla has used HTTP and HTTPS for C2 communications.[4][5]
EnterpriseT1082System Information DiscoveryTurla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.[1]
EnterpriseT1016System Network Configuration DiscoveryTurla surveys a system upon check-in to discover network configuration details using the arp -a, nbtstat -n, and net config commands.[1]
EnterpriseT1049System Network Connections DiscoveryTurla surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands.[1]
EnterpriseT1007System Service DiscoveryTurla surveys a system upon check-in to discover running services and associated processes using the tasklist /svc command.[1]
EnterpriseT1124System Time DiscoveryTurla surveys a system upon check-in to discover the system time by using the net time command.[1]
EnterpriseT1204User ExecutionTurla has used spearphishing via a link to get users to download and run their malware.[4]
EnterpriseT1102Web ServiceA Turla JavaScript backdoor has used Google Apps Script as its C2 server.[4][5]
EnterpriseT1077Windows Admin SharesTurla used net use commands to connect to lateral systems within a network.[1]
EnterpriseT1004Winlogon Helper DLLTurla established persistence by adding a Shell value under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion]Winlogon.[4]

Software

IDNameTechniques
S0099ArpSystem Network Configuration Discovery
S0126ComRATComponent Object Model Hijacking, Standard Application Layer Protocol
S0091EpicCode Signing, Standard Application Layer Protocol
S0168GazerCode Signing, Connection Proxy, Custom Cryptographic Protocol, File Deletion, NTFS File Attributes, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Scheduled Task, Screensaver, Shortcut Modification, Standard Application Layer Protocol, System Owner/User Discovery, Timestomp, Winlogon Helper DLL
S0265KazuarAccount Discovery, Application Window Discovery, Command-Line Interface, Data Encoding, Data from Local System, Data Staged, Fallback Channels, File and Directory Discovery, File Deletion, New Service, Obfuscated Files or Information, Permission Groups Discovery, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Scheduled Transfer, Screen Capture, Shortcut Modification, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Video Capture, Web Service
S0002MimikatzAccount Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0256MosquitoCommand-Line Interface, Component Object Model Hijacking, Custom Cryptographic Protocol, Execution through API, File Deletion, Modify Registry, Obfuscated Files or Information, PowerShell, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, Security Software Discovery, System Network Configuration Discovery, System Owner/User Discovery, Windows Management Instrumentation
S0102nbtstatSystem Network Configuration Discovery, System Network Connections Discovery
S0039NetAccount Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0104netstatSystem Network Connections Discovery
S0075RegCredentials in Registry, Modify Registry, Query Registry
S0096SysteminfoSystem Information Discovery
S0057TasklistProcess Discovery, Security Software Discovery, System Service Discovery
S0022UroburosRootkit, Software Packing

References

  1. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  2. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  3. Meyers, A. (2018, March 12). Meet CrowdStrike’s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018.
  4. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  1. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  2. Rapid7. (2013, November 26). meterpreter/source/extensions/priv/server/elevate/. Retrieved July 8, 2018.
  3. Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
  4. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.