Group: Turla, Waterbug, WhiteBear

From enterprise
Jump to: navigation, search
Turla, Waterbug, WhiteBear
Group
ID G0010
Aliases Turla, Waterbug, WhiteBear

Turla is a threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. They are known for conducting watering hole and spearphishing campaigns.12

Alias Descriptions

  • Turla - 1
  • Waterbug - Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.3
  • WhiteBear - WhiteBear is a designation used by Securelist to describe a cluster of activity under broader Turla activity.4

Techniques Used

  • Process Discovery - Turla surveys a system upon check-in to discover running processes using the tasklist /v command.1
  • System Service Discovery - Turla surveys a system upon check-in to discover running services and associated processes using the tasklist /svc command.1
  • Remote System Discovery - Turla surveys a system upon check-in to discover remote systems on a local network using the net view and net view /DOMAIN commands.1
  • Query Registry - Turla surveys a system upon check-in to discover information in the Windows Registry with the reg query command.1
  • File and Directory Discovery - Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, and in the Program Files directory.1
  • Brute Force - Turla may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords.1
  • Indicator Removal from Tools - Based on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.2

Software