Epic

Epic is a backdoor that has been used by Turla. [1]

ID: S0091
Associated Software: Tavdig, Wipbot, WorldCupSec, TadjMakhal

Type: MALWARE
Platforms: Windows

Version: 1.1

Associated Software Descriptions

NameDescription
Tavdig[1]
Wipbot[1]
WorldCupSec[1]
TadjMakhal[1]

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoveryEpic gathers a list of all user accounts, privilege classes, and time of last logon.[2]
EnterpriseT1116Code SigningTurla has used valid digital certificates from Sysprint AG to sign its Epic dropper.[1]
EnterpriseT1002Data CompressedEpic compresses the collected data with bzip2 before sending it to the C2 server.[2]
EnterpriseT1022Data EncryptedEpic encrypts collected data using a public key framework before sending it over the C2 channel. Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server.[1][2]
EnterpriseT1083File and Directory DiscoveryEpic recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\Temp directories.[1][2]
EnterpriseT1107File DeletionEpic has a command to delete a file from the machine.[2]
EnterpriseT1027Obfuscated Files or InformationEpic heavily obfuscates its code to make analysis more difficult.[1]
EnterpriseT1069Permission Groups DiscoveryEpic gathers information on local group names.[2]
EnterpriseT1057Process DiscoveryEpic uses the tasklist /v command to obtain a list of processes.[1][2]
EnterpriseT1012Query RegistryEpic uses the rem reg query command to obtain values from Registry keys.[1]
EnterpriseT1018Remote System DiscoveryEpic uses the net view command on the victim’s machine.[1]
EnterpriseT1063Security Software DiscoveryEpic searches for anti-malware services running on the victim’s machine and terminates itself if it finds them.[1]
EnterpriseT1071Standard Application Layer ProtocolEpic uses HTTP and HTTPS for C2 communications.[1][2]
EnterpriseT1032Standard Cryptographic ProtocolEpic encrypts commands from the C2 server using a hardcoded key.[1]
EnterpriseT1082System Information DiscoveryEpic collects the OS version, hardware information, computer name, available system memory status, disk space information, and system and user language settings.[2]
EnterpriseT1016System Network Configuration DiscoveryEpic uses the nbtstat -n and nbtstat -s commands on the victim’s machine.[1]
EnterpriseT1049System Network Connections DiscoveryEpic uses the net use, net session, and netstat commands to gather information on network connections.[1][2]
EnterpriseT1033System Owner/User DiscoveryEpic collects the user name from the victim’s machine.[2]
EnterpriseT1007System Service DiscoveryEpic uses the tasklist /svc command to list the services on the system.[1]
EnterpriseT1124System Time DiscoveryEpic uses the net time command to get the system time from the machine and collect the current date and time zone information.[1]

Groups

Groups that use this software:

Turla

References