TinyTurla
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
| Enterprise | T1005 | Data from Local System | ||
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
TinyTurla has the ability to encrypt C2 traffic with SSL/TLS.[1] |
| Enterprise | T1008 | Fallback Channels |
TinyTurla can go through a list of C2 server IPs and will try to register with each until one responds.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer |
TinyTurla has the ability to act as a second-stage dropper used to infect the system with additional malware.[1] |
|
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
TinyTurla has mimicked an existing Windows service by being installed as |
| .005 | Masquerading: Match Legitimate Name or Location |
TinyTurla has been deployed as |
||
| Enterprise | T1112 | Modify Registry |
TinyTurla can set its configuration parameters in the Registry.[1] |
|
| Enterprise | T1106 | Native API |
TinyTurla has used |
|
| Enterprise | T1027 | .011 | Obfuscated Files or Information: Fileless Storage |
TinyTurla can save its configuration parameters in the Registry.[1] |
| Enterprise | T1012 | Query Registry |
TinyTurla can query the Registry for its configuration information.[1] |
|
| Enterprise | T1029 | Scheduled Transfer |
TinyTurla contacts its C2 based on a scheduled timing set in its configuration.[1] |
|
| Enterprise | T1569 | .002 | System Services: Service Execution |
TinyTurla can install itself as a service on compromised machines.[1] |