Turla
Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. Turla is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. Turla’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines. [1] [2] [3] [4]
ID: G0010
Aliases: Turla, Waterbug, WhiteBear, VENOMOUS BEAR, Snake, Krypton
Contributors: Edward MillingtonVersion: 1.0
Alias Descriptions
Name | Description |
---|---|
Turla | [1] |
Waterbug | Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group. [7] |
WhiteBear | WhiteBear is a designation used by Securelist to describe a cluster of activity under broader G0010 activity. [8] |
VENOMOUS BEAR | [3] |
Snake | [3] |
Krypton | [3] |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1110 | Brute Force | Turla may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords.[1] |
Enterprise | T1083 | File and Directory Discovery | Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, and in the Program Files directory.[1] |
Enterprise | T1066 | Indicator Removal from Tools | Based on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.[2] |
Enterprise | T1086 | PowerShell | Turla has used a custom executable to execute PowerShell scripts.[5] |
Enterprise | T1057 | Process Discovery | Turla surveys a system upon check-in to discover running processes using the tasklist /v command.[1] |
Enterprise | T1055 | Process Injection | Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges.[5][6] |
Enterprise | T1012 | Query Registry | Turla surveys a system upon check-in to discover information in the Windows Registry with the reg query command.[1] |
Enterprise | T1060 | Registry Run Keys / Startup Folder | A Turla Javascript backdoor added a local_update_check value under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.[4][5] |
Enterprise | T1105 | Remote File Copy | Turla has used shellcode to download Meterpreter after compromising a victim.[5] |
Enterprise | T1018 | Remote System Discovery | Turla surveys a system upon check-in to discover remote systems on a local network using the net view and net view /DOMAIN commands.[1] |
Enterprise | T1192 | Spearphishing Link | Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.[4] |
Enterprise | T1071 | Standard Application Layer Protocol | Turla has used HTTP and HTTPS for C2 communications.[4][5] |
Enterprise | T1082 | System Information Discovery | Turla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.[1] |
Enterprise | T1016 | System Network Configuration Discovery | Turla surveys a system upon check-in to discover network configuration details using the arp -a , nbtstat -n , and net config commands.[1] |
Enterprise | T1049 | System Network Connections Discovery | Turla surveys a system upon check-in to discover active local network connections using the netstat -an , net use , net file , and net session commands.[1] |
Enterprise | T1007 | System Service Discovery | Turla surveys a system upon check-in to discover running services and associated processes using the tasklist /svc command.[1] |
Enterprise | T1124 | System Time Discovery | Turla surveys a system upon check-in to discover the system time by using the net time command.[1] |
Enterprise | T1204 | User Execution | Turla has used spearphishing via a link to get users to download and run their malware.[4] |
Enterprise | T1102 | Web Service | A Turla JavaScript backdoor has used Google Apps Script as its C2 server.[4][5] |
Enterprise | T1077 | Windows Admin Shares | Turla used net use commands to connect to lateral systems within a network.[1] |
Enterprise | T1004 | Winlogon Helper DLL | Turla established persistence by adding a Shell value under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion]Winlogon .[4] |
Software
References
- Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
- ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
- Meyers, A. (2018, March 12). Meet CrowdStrike’s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018.
- ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
- ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
- Rapid7. (2013, November 26). meterpreter/source/extensions/priv/server/elevate/. Retrieved July 8, 2018.
- Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
- Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.