HyperStack is a RPC-based backdoor used by Turla since at least 2018. HyperStack has similarities to other backdoors used by Turla including Carbon.[1]

ID: S0537
Platforms: Windows
Version: 1.0
Created: 02 December 2020
Last Modified: 04 December 2020

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

HyperStack can enumerate all account names on a remote share.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

HyperStack has used RSA encryption for C2 communications.[1]

Enterprise T1559 Inter-Process Communication

HyperStack can connect to the IPC$ share on remote machines.[1]

Enterprise T1112 Modify Registry

HyperStack can add the name of its communication pipe to HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipes.[1]

Enterprise T1106 Native API

HyperStack can use Windows API's ConnectNamedPipe and WNetAddConnection2 to detect incoming connections and connect to remote shares.[1]

Enterprise T1078 .001 Valid Accounts: Default Accounts

HyperStack can use default credentials to connect to IPC$ shares on remote machines.[1]

Groups That Use This Software

ID Name References
G0010 Turla