Turla

Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. Turla is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. Turla’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines. [1] [2] [3] [4]

ID: G0010
Contributors: Edward Millington

Version: 1.1

Associated Group Descriptions

NameDescription
WaterbugBased similarity in TTPs and malware used, Turla and Waterbug appear to be the same group. [8]
WhiteBearWhiteBear is a designation used by Securelist to describe a cluster of activity under broader G0010 activity. [9]
VENOMOUS BEAR[3]
Snake[3]
Krypton[3]

Techniques Used

DomainIDNameUse
EnterpriseT1110Brute ForceTurla may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords.[1]
EnterpriseT1083File and Directory DiscoveryTurla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, and in the Program Files directory.[1]
EnterpriseT1066Indicator Removal from ToolsBased on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.[2]
EnterpriseT1086PowerShellTurla has used a custom executable to execute PowerShell scripts.[5]
EnterpriseT1057Process DiscoveryTurla surveys a system upon check-in to discover running processes using the tasklist /v command.[1]
EnterpriseT1055Process InjectionTurla has used Metasploit to perform reflective DLL injection in order to escalate privileges.[5][6]
EnterpriseT1012Query RegistryTurla surveys a system upon check-in to discover information in the Windows Registry with the reg query command.[1]
EnterpriseT1060Registry Run Keys / Startup FolderA Turla Javascript backdoor added a local_update_check value under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.[4][5]
EnterpriseT1105Remote File CopyTurla has used shellcode to download Meterpreter after compromising a victim.[5]
EnterpriseT1018Remote System DiscoveryTurla surveys a system upon check-in to discover remote systems on a local network using the net view and net view /DOMAIN commands.[1]
EnterpriseT1193Spearphishing AttachmentTurla has used spearphishing emails to deliver BrainTest as a malicious attachment.[7]
EnterpriseT1192Spearphishing LinkTurla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.[4]
EnterpriseT1071Standard Application Layer ProtocolTurla has used HTTP and HTTPS for C2 communications.[4][5]
EnterpriseT1082System Information DiscoveryTurla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.[1]
EnterpriseT1016System Network Configuration DiscoveryTurla surveys a system upon check-in to discover network configuration details using the arp -a, nbtstat -n, and net config commands.[1]
EnterpriseT1049System Network Connections DiscoveryTurla surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands.[1]
EnterpriseT1007System Service DiscoveryTurla surveys a system upon check-in to discover running services and associated processes using the tasklist /svc command.[1]
EnterpriseT1124System Time DiscoveryTurla surveys a system upon check-in to discover the system time by using the net time command.[1]
EnterpriseT1204User ExecutionTurla has used spearphishing via a link to get users to download and run their malware.[4]
EnterpriseT1102Web ServiceA Turla JavaScript backdoor has used Google Apps Script as its C2 server.[4][5]
EnterpriseT1077Windows Admin SharesTurla used net use commands to connect to lateral systems within a network.[1]
EnterpriseT1004Winlogon Helper DLLTurla established persistence by adding a Shell value under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion]Winlogon.[4]

Software

IDNameReferencesTechniques
S0099Arp[1]System Network Configuration Discovery
S0335Carbon[7]Account Discovery, Commonly Used Port, Data Staged, Deobfuscate/Decode Files or Information, Exfiltration Over Alternative Protocol, New Service, Obfuscated Files or Information, Process Discovery, Process Injection, Query Registry, Remote System Discovery, Scheduled Task, Standard Non-Application Layer Protocol, System Network Configuration Discovery, System Network Connections Discovery, System Time Discovery
S0126ComRAT[8]Component Object Model Hijacking, Standard Application Layer Protocol
S0363Empire[10]Access Token Manipulation, Accessibility Features, Account Discovery, Browser Bookmark Discovery, Bypass User Account Control, Clipboard Data, Command-Line Interface, Commonly Used Port, Create Account, Credential Dumping, Credentials in Files, Data Compressed, Distributed Component Object Model, DLL Search Order Hijacking, Domain Trust Discovery, Email Collection, Execution through API, Exfiltration Over Alternative Protocol, Exfiltration Over Command and Control Channel, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Modification, Hooking, Input Capture, Kerberoasting, LLMNR/NBT-NS Poisoning and Relay, Modify Existing Service, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, Pass the Hash, Pass the Ticket, Path Interception, PowerShell, Private Keys, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Remote Services, Scheduled Task, Screen Capture, Scripting, Security Software Discovery, Security Support Provider, Service Execution, Shortcut Modification, SID-History Injection, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Timestomp, Trusted Developer Utilities, Video Capture, Web Service, Windows Management Instrumentation
S0091Epic[1]Account Discovery, Code Signing, Data Compressed, Data Encrypted, File and Directory Discovery, File Deletion, Obfuscated Files or Information, Permission Groups Discovery, Process Discovery, Query Registry, Remote System Discovery, Security Software Discovery, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Service Discovery, System Time Discovery
S0168Gazer[2]Code Signing, Connection Proxy, Custom Cryptographic Protocol, File Deletion, NTFS File Attributes, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Scheduled Task, Screensaver, Shortcut Modification, Standard Application Layer Protocol, System Owner/User Discovery, Timestomp, Winlogon Helper DLL
S0265Kazuar[11]Account Discovery, Application Window Discovery, Command-Line Interface, Data Destruction, Data Encoding, Data from Local System, Data Staged, Fallback Channels, File and Directory Discovery, File Deletion, New Service, Obfuscated Files or Information, Permission Groups Discovery, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Scheduled Transfer, Screen Capture, Shortcut Modification, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Video Capture, Web Service, Windows Management Instrumentation
S0002Mimikatz[5]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0256Mosquito[4][5]Command-Line Interface, Component Object Model Hijacking, Custom Cryptographic Protocol, Execution through API, File Deletion, Modify Registry, Obfuscated Files or Information, PowerShell, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, Security Software Discovery, System Network Configuration Discovery, System Owner/User Discovery, Windows Management Instrumentation
S0102nbtstat[1]System Network Configuration Discovery, System Network Connections Discovery
S0039Net[1]Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0104netstat[1]System Network Connections Discovery
S0075Reg[1]Credentials in Registry, Modify Registry, Query Registry
S0096Systeminfo[1]System Information Discovery
S0057Tasklist[1]Process Discovery, Security Software Discovery, System Service Discovery
S0022Uroburos[1]Rootkit, Software Packing

References