1. Home
  2. Groups
  3. Turla

Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]

ID: G0010
Associated Groups: IRON HUNTER, Group 88, Waterbug, WhiteBear, Snake, Krypton, Venomous Bear, Secret Blizzard, BELUGASTURGEON
Contributors: Matthieu Faou, ESET; Edward Millington
Version: 5.1
Created: 31 May 2017
Last Modified: 26 June 2024

Associated Group Descriptions

Name Description
IRON HUNTER

[6]
Group 88

[7]
Waterbug

Based similarity in TTPs and malware used, Turla and Waterbug appear to be the same group.[8]
WhiteBear

WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.[9][10]
Snake

[3][11][10]
Krypton

[3]
Venomous Bear

[3][10]
Secret Blizzard

[12]
BELUGASTURGEON

[13]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .003 事件触发执行: Windows Management Instrumentation Event Subscription

Turla has used WMI event filters and consumers to establish persistence.[11]
.013 事件触发执行: PowerShell Profile

Turla has used PowerShell profiles to maintain persistence on an infected machine.[11]
Enterprise T1213 从信息存储库获取数据

Turla has used a custom .NET tool to collect documents from an organization's internal central database.[14]
Enterprise T1025 从可移动介质获取数据

Turla RPC backdoors can collect files from USB thumb drives.[11][15]
Enterprise T1555 .004 从密码存储中获取凭证: Windows Credential Manager

Turla has gathered credentials from the Windows Credential Manager tool.[15]

Enterprise T1005 从本地系统获取数据

Turla RPC backdoors can upload files from victim machines.[11]
Enterprise T1090 代理

Turla RPC backdoors have included local UPnP RPC proxies.[11]

.001 Internal Proxy

Turla has compromised internal network systems to act as a proxy to forward traffic to C2.[10]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Turla has named components of LunarWeb to mimic Zabbix agent logs.[16]
Enterprise T1112 修改注册表

Turla has modified Registry values to store payloads.[11][15]
Enterprise T1140 反混淆/解码文件或信息

Turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile, to decode encrypted PowerShell payloads.[11]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

A Turla Javascript backdoor added a local_update_check value under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.[4][17][16]
.004 启动或登录自动启动执行: Winlogon Helper DLL

Turla established persistence by adding a Shell value under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.[4]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Turla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from Empire's PSInject.[17][11][15] Turla has also used PowerShell scripts to load and execute malware in memory.
.003 命令与脚本解释器: Windows Command Shell

Turla RPC backdoors have used cmd.exe to execute commands.[11][15]
.005 命令与脚本解释器: Visual Basic

Turla has used VBS scripts throughout its operations.[15]

.006 命令与脚本解释器: Python

Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads.[18]
.007 命令与脚本解释器: JavaScript

Turla has used various JavaScript-based backdoors.[4]

Enterprise T1584 .003 基础设施妥协: Virtual Private Server

Turla has used the VPS infrastructure of compromised Iranian threat actors.[19]
.004 基础设施妥协: Server

Turla has used compromised servers as infrastructure.[20][13][10]
.006 基础设施妥协: Web Services

Turla has frequently used compromised WordPress sites for C2 infrastructure.[20]
Enterprise T1120 外围设备发现

Turla has used fsutil fsinfo drives to list connected drives.[14]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.[11]
Enterprise T1201 密码策略发现

Turla has used net accounts and net accounts /domain to acquire password policy information.[14]
Enterprise T1071 .001 应用层协议: Web Protocols

Turla has used HTTP and HTTPS for C2 communications.[4][17]
.003 应用层协议: Mail Protocols

Turla has used multiple backdoors which communicate with a C2 server via email attachments.[21]
Enterprise T1587 .001 开发能力: Malware

Turla has developed its own unique malware for use in operations.[20]
Enterprise T1560 .001 归档收集数据: Archive via Utility

Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.[15]
Enterprise T1083 文件和目录发现

Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent.[1][14] Turla RPC backdoors have also searched for files matching the lPH*.dll pattern.[11]
Enterprise T1110 暴力破解

Turla may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords.[1]
Enterprise T1078 .003 有效账户: Local Accounts

Turla has abused local accounts that have the same password across the victim’s network.[22]
Enterprise T1106 本机API

Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes.[11]
Enterprise T1068 权限提升漏洞利用

Turla has exploited vulnerabilities in the VBoxDrv.sys driver to obtain kernel mode privileges.[23]
Enterprise T1069 .001 权限组发现: Local Groups

Turla has used net localgroup and net localgroup Administrators to enumerate group information, including members of the local administrators group.[14]
.002 权限组发现: Domain Groups

Turla has used net group "Domain Admins" /domain to identify domain administrators.[14]
Enterprise T1012 查询注册表

Turla surveys a system upon check-in to discover information in the Windows Registry with the reg query command.[1] Turla has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes .[11]
Enterprise T1570 横向工具传输

Turla RPC backdoors can be used to transfer files to/from victim machines on the local network.[11][15]
Enterprise T1189 浏览器攻击

Turla has infected victims using watering holes.[14][6]
Enterprise T1027 .005 混淆文件或信息: Indicator Removal from Tools

Based on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.[2]
.010 混淆文件或信息: Command Obfuscation

Turla has used encryption (including salted 3DES via PowerSploit's Out-EncryptedScript.ps1), random variable names, and base64 encoding to obfuscate PowerShell commands and payloads.[11]
.011 混淆文件或信息: Fileless Storage

Turla has used the Registry to store encrypted and encoded payloads.[11][15]
Enterprise T1204 .001 用户执行: Malicious Link

Turla has used spearphishing via a link to get users to download and run their malware.[4]
Enterprise T1082 系统信息发现

Turla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.[1][14]
Enterprise T1124 系统时间发现

Turla surveys a system upon check-in to discover the system time by using the net time command.[1]
Enterprise T1007 系统服务发现

Turla surveys a system upon check-in to discover running services and associated processes using the tasklist /svc command.[1]
Enterprise T1049 系统网络连接发现

Turla surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands.[1][14] Turla RPC backdoors have also enumerated the IPv4 TCP connection table via the GetTcpTable2 API call.[11]
Enterprise T1016 系统网络配置发现

Turla surveys a system upon check-in to discover network configuration details using the arp -a, nbtstat -n, net config, ipconfig /all, and route commands, as well as NBTscan.[1][15][14] Turla RPC backdoors have also retrieved registered RPC interface information from process memory.[11]
.001 Internet Connection Discovery

Turla has used tracert to check internet connectivity.[14]
Enterprise T1615 组策略发现

Turla surveys a system upon check-in to discover Group Policy details using the gpresult command.[14]
Enterprise T1102 网络服务

Turla has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications.[13][22]
.002 Bidirectional Communication

A Turla JavaScript backdoor has used Google Apps Script as its C2 server.[4][17]
Enterprise T1583 .006 获取基础设施: Web Services

Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration.[22]
Enterprise T1588 .001 获取能力: Malware

Turla has used malware obtained after compromising other threat actors, such as OilRig.[19][20]
.002 获取能力: Tool

Turla has obtained and customized publicly-available tools like Mimikatz.[15]
Enterprise T1134 .002 访问令牌操控: Create Process with Token

Turla RPC backdoors can impersonate or steal process tokens before executing commands.[11]

Enterprise T1087 .001 账号发现: Local Account

Turla has used net user to enumerate local accounts on the system.[14][22]
.002 账号发现: Domain Account

Turla has used net user /domain to enumerate domain accounts.[14]
Enterprise T1518 .001 软件发现: Security Software Discovery

Turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected.[14]
Enterprise T1105 输入工具传输

Turla has used shellcode to download Meterpreter after compromising a victim.[17]
Enterprise T1057 进程发现

Turla surveys a system upon check-in to discover running processes using the tasklist /v command.[1] Turla RPC backdoors have also enumerated processes associated with specific open ports or named pipes.[11]
Enterprise T1055 进程注入

Turla has also used PowerSploit's Invoke-ReflectivePEInjection.ps1 to reflectively load a PowerShell payload into a random process on the victim system.[11]
.001 Dynamic-link Library Injection

Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges.[17][24]
Enterprise T1021 .002 远程服务: SMB/Windows Admin Shares

Turla used net use commands to connect to lateral systems within a network.[1]
Enterprise T1018 远程系统发现

Turla surveys a system upon check-in to discover remote systems on a local network using the net view and net view /DOMAIN commands. Turla has also used net group "Domain Computers" /domain, net group "Domain Controllers" /domain, and net group "Exchange Servers" /domain to enumerate domain computers, including the organization's DC and Exchange Server.[1][14]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

Turla has used WebDAV to upload stolen USB files to a cloud drive.[15] Turla has also exfiltrated stolen files to OneDrive and 4shared.[14]
Enterprise T1566 .002 钓鱼: Spearphishing Link

Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.[4]
Enterprise T1564 .012 隐藏伪装: File/Path Exclusions

Turla has placed LunarWeb install files into directories that are excluded from scanning.[16]
Enterprise T1553 .006 颠覆信任控制: Code Signing Policy Modification

Turla has modified variables in kernel memory to turn off Driver Signature Enforcement after exploiting vulnerabilities that obtained kernel mode privileges.[23][25]

Software

ID Name References Techniques
S0099 Arp [1] 系统网络配置发现, 远程系统发现
S0335 Carbon [26][6] 创建或修改系统进程: Windows Service, 加密通道: Asymmetric Cryptography, 反混淆/解码文件或信息, 应用层协议: Web Protocols, 数据分段: Local Data Staging, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 权限组发现, 查询注册表, 混淆文件或信息, 系统时间发现, 系统网络连接发现, 系统网络配置发现, 网络服务, 进程发现, 进程注入: Dynamic-link Library Injection, 远程系统发现, 非应用层协议, 预定任务/作业: Scheduled Task
S0160 certutil [15] 反混淆/解码文件或信息, 归档收集数据: Archive via Utility, 输入工具传输, 颠覆信任控制: Install Root Certificate
S0126 ComRAT [8][18][6] 事件触发执行: Component Object Model Hijacking, 伪装: Masquerade Task or Service, 修改注册表, 加密通道: Asymmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 应用层协议: Mail Protocols, 应用层协议: Web Protocols, 本机API, 查询注册表, 混淆文件或信息, 混淆文件或信息: Fileless Storage, 混淆文件或信息: Command Obfuscation, 混淆文件或信息: Embedded Payloads, 系统时间发现, 网络服务: Bidirectional Communication, 软件发现, 进程注入: Dynamic-link Library Injection, 隐藏伪装: Hidden File System, 预定任务/作业: Scheduled Task, 预定传输
S0538 Crutch [22][10] 从可移动介质获取数据, 从本地系统获取数据, 伪装: Masquerade Task or Service, 劫持执行流: DLL Search Order Hijacking, 回退信道, 外围设备发现, 应用层协议: Web Protocols, 归档收集数据: Archive via Utility, 数据分段: Local Data Staging, 网络服务: Bidirectional Communication, 自动化收集, 自动化渗出, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Cloud Storage, 预定任务/作业: Scheduled Task
S0363 Empire [27][22] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Accessibility Features, 从密码存储中获取凭证: Credentials from Web Browsers, 使用备用认证材料: Pass the Hash, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 创建账户: Domain Account, 剪贴板数据, 加密通道: Asymmetric Cryptography, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: Path Interception by Search Order Hijacking, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Dylib Hijacking, 劫持执行流: DLL Search Order Hijacking, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Security Support Provider, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器, 域信任发现, 域或租户策略修改: Group Policy Modification, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 未加密凭证: Credentials In Files, 未加密凭证: Private Keys, 本机API, 权限提升漏洞利用, 浏览器信息发现, 混淆文件或信息: Command Obfuscation, 滥用权限提升控制机制: Bypass User Account Control, 电子邮件收集: Local Email Collection, 移除指标: Timestomp, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 组策略发现, 网络共享发现, 网络嗅探, 网络服务: Bidirectional Communication, 网络服务发现, 自动化收集, 自动化渗出, 视频捕获, 访问令牌操控: SID-History Injection, 访问令牌操控, 访问令牌操控: Create Process with Token, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 输入捕获: Credential API Hooking, 进程发现, 进程注入, 远程服务: Distributed Component Object Model, 远程服务: SSH, 远程服务漏洞利用, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Code Repository, 通过网络服务渗出: Exfiltration to Cloud Storage, 预定任务/作业: Scheduled Task
S0091 Epic [1][6] 加密通道: Symmetric Cryptography, 应用层协议: Web Protocols, 归档收集数据: Archive via Library, 归档收集数据, 文件和目录发现, 权限组发现: Local Groups, 查询注册表, 混淆文件或信息, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 账号发现: Local Account, 软件发现: Security Software Discovery, 进程发现, 进程注入: Extra Window Memory Injection, 远程系统发现, 颠覆信任控制: Code Signing
S0168 Gazer [2] 事件触发执行: Screensaver, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Winlogon Helper DLL, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 应用层协议: Web Protocols, 执行保护: Mutual Exclusion, 混淆文件或信息: Encrypted/Encoded File, 移除指标: Timestomp, 移除指标: File Deletion, 系统所有者/用户发现, 输入工具传输, 进程注入: Thread Execution Hijacking, 进程注入, 隐藏伪装: NTFS File Attributes, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing
S0537 HyperStack [13] 修改注册表, 加密通道: Symmetric Cryptography, 有效账户: Default Accounts, 本机API, 账号发现: Local Account, 进程间通信
S0581 IronNetInjector [18] 伪装: Masquerade Task or Service, 反混淆/解码文件或信息, 命令与脚本解释器: Python, 混淆文件或信息: Encrypted/Encoded File, 进程发现, 进程注入, 进程注入: Dynamic-link Library Injection, 预定任务/作业: Scheduled Task
S0265 Kazuar [28][10] Windows管理规范, 从本地系统获取数据, 代理: Internal Proxy, 创建或修改系统进程: Windows Service, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: Unix Shell, 命令与脚本解释器: Windows Command Shell, 回退信道, 屏幕捕获, 应用层协议: File Transfer Protocols, 应用层协议: Web Protocols, 应用窗口发现, 数据分段: Local Data Staging, 数据编码: Standard Encoding, 数据销毁, 文件和目录发现, 权限组发现: Local Groups, 混淆文件或信息, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 网络服务: Bidirectional Communication, 视频捕获, 账号发现: Local Account, 输入工具传输, 进程发现, 进程注入: Dynamic-link Library Injection, 预定传输
S1075 KOPILUWAK [29] 从本地系统获取数据, 命令与脚本解释器: JavaScript, 应用层协议: Web Protocols, 数据分段: Local Data Staging, 用户执行: Malicious File, 系统信息发现, 系统所有者/用户发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 进程发现, 通过C2信道渗出, 钓鱼: Spearphishing Attachment
S0395 LightNeuron [30][6] 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 应用层协议: Mail Protocols, 归档收集数据, 数据分段: Local Data Staging, 数据操控: Transmitted Data Manipulation, 数据混淆: Steganography, 服务器软件组件: Transport Agent, 本机API, 混淆文件或信息: Encrypted/Encoded File, 电子邮件收集: Remote Email Collection, 移除指标: File Deletion, 系统信息发现, 系统网络配置发现, 自动化收集, 自动化渗出, 输入工具传输, 通过C2信道渗出, 预定传输
S1143 LunarLoader [16] 办公应用启动: Add-ins, 反射性代码加载, 反混淆/解码文件或信息, 执行保护, 系统网络配置发现
S1142 LunarMail [16] 创建或修改系统进程, 办公应用启动: Add-ins, 反混淆/解码文件或信息, 命令与脚本解释器: Visual Basic, 屏幕捕获, 应用层协议: Mail Protocols, 数据分段: Local Data Staging, 数据混淆: Steganography, 文件和目录发现, 混淆文件或信息: Encrypted/Encoded File, 用户执行: Malicious File, 电子邮件收集: Local Email Collection, 移除指标: Clear Mailbox Data, 移除指标: File Deletion, 系统信息发现, 通过C2信道渗出, 非应用层协议
S1141 LunarWeb [16] Windows管理规范, 代理, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 多阶段信道, 应用层协议: Web Protocols, 归档收集数据: Archive via Library, 归档收集数据: Archive via Utility, 数据传输大小限制, 数据混淆: Steganography, 数据编码: Standard Encoding, 文件和目录发现, 权限组发现: Local Groups, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统网络连接发现, 系统网络配置发现, 组策略发现, 网络共享发现, 虚拟化/沙盒规避: Time Based Evasion, 软件发现, 软件发现: Security Software Discovery, 进程发现, 进程间通信
S0002 Mimikatz [17][15] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0256 Mosquito [4][17][6] Windows管理规范, 事件触发执行: Component Object Model Hijacking, 修改注册表, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 本机API, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Fileless Storage, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统所有者/用户发现, 系统网络配置发现, 软件发现: Security Software Discovery, 输入工具传输, 进程发现
S0590 NBTscan [15] 系统所有者/用户发现, 系统网络配置发现, 网络嗅探, 网络服务发现, 远程系统发现
S0102 nbtstat [1] 系统网络连接发现, 系统网络配置发现
S0039 Net [1] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0104 netstat [1] 系统网络连接发现
S0587 Penquin [7] 伪装: Match Legitimate Name or Location, 加密通道: Asymmetric Cryptography, 命令与脚本解释器: Unix Shell, 文件和目录发现, 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification, 流量激活, 流量激活: Socket Filters, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统信息发现, 系统网络配置发现, 网络嗅探, 输入工具传输, 通过C2信道渗出, 非应用层协议, 预定任务/作业: Cron
S0393 PowerStallion [11] 命令与脚本解释器: PowerShell, 混淆文件或信息, 移除指标: Timestomp, 网络服务: Bidirectional Communication, 进程发现
S0029 PsExec [15] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0075 Reg [1] 修改注册表, 未加密凭证: Credentials in Registry, 查询注册表
S0096 Systeminfo [1][16] 系统信息发现
S0057 Tasklist [1] 系统服务发现, 软件发现: Security Software Discovery, 进程发现
S0668 TinyTurla [10] 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 伪装: Masquerade Task or Service, 修改注册表, 加密通道: Asymmetric Cryptography, 命令与脚本解释器: Windows Command Shell, 回退信道, 应用层协议: Web Protocols, 本机API, 查询注册表, 混淆文件或信息: Fileless Storage, 系统服务: Service Execution, 输入工具传输, 预定传输
S0022 Uroburos [1][5] Rootkit, 从本地系统获取数据, 代理: Multi-hop Proxy, 伪装: Masquerade Task or Service, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 回退信道, 多阶段信道, 应用层协议: Mail Protocols, 应用层协议: Web Protocols, 应用层协议: DNS, 数据混淆: Junk Data, 数据混淆: Protocol or Service Impersonation, 数据编码: Non-Standard Encoding, 文件和目录发现, 本机API, 查询注册表, 流量激活, 混淆文件或信息: Software Packing, 混淆文件或信息: Fileless Storage, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Embedded Payloads, 移除指标: File Deletion, 系统信息发现, 输入工具传输, 进程发现, 进程注入: Dynamic-link Library Injection, 进程间通信, 隐藏伪装: Hidden File System, 非应用层协议

References

  1. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  2. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  3. Meyers, A. (2018, March 12). Meet CrowdStrike’s Adversary of the Month for March: VENOMOUS BEAR. Retrieved May 16, 2018.
  4. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  5. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  6. Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022.
  7. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  8. Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
  9. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  10. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  11. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  12. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  13. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  14. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  15. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  1. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  2. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  3. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
  4. NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020.
  5. Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved September 16, 2024.
  6. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  7. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  8. Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.
  9. Rapid7. (2013, November 26). meterpreter/source/extensions/priv/server/elevate/. Retrieved July 8, 2018.
  10. TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021.
  11. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  12. ESET. (2018, August). Turla Outlook Backdoor: Analysis of an unusual Turla backdoor. Retrieved March 11, 2019.
  13. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  14. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  15. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.