1. Home
  2. Software
  3. Epic

Epic

Epic is a backdoor that has been used by Turla. [1]

ID: S0091
Associated Software: Tavdig, Wipbot, WorldCupSec, TadjMakhal
Type: MALWARE
Platforms: Windows
Contributors: Martin Smolár, ESET
Version: 1.3
Created: 31 May 2017
Last Modified: 26 October 2020

Associated Software Descriptions

Name Description
Tavdig

[1]
Wipbot

[1]
WorldCupSec

[1]
TadjMakhal

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Epic encrypts commands from the C2 server using a hardcoded key.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Epic uses HTTP and HTTPS for C2 communications.[1][2]
Enterprise T1560 归档收集数据

Epic encrypts collected data using a public key framework before sending it over the C2 channel.[1] Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server.[2]
.002 Archive via Library

Epic compresses the collected data with bzip2 before sending it to the C2 server.[2]
Enterprise T1083 文件和目录发现

Epic recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\Temp directories.[1][2]
Enterprise T1069 .001 权限组发现: Local Groups

Epic gathers information on local group names.[2]
Enterprise T1012 查询注册表

Epic uses the rem reg query command to obtain values from Registry keys.[1]
Enterprise T1027 混淆文件或信息

Epic heavily obfuscates its code to make analysis more difficult.[1]
Enterprise T1070 .004 移除指标: File Deletion

Epic has a command to delete a file from the machine.[2]
Enterprise T1082 系统信息发现

Epic collects the OS version, hardware information, computer name, available system memory status, disk space information, and system and user language settings.[2]
Enterprise T1033 系统所有者/用户发现

Epic collects the user name from the victim’s machine.[2]
Enterprise T1124 系统时间发现

Epic uses the net time command to get the system time from the machine and collect the current date and time zone information.[1]
Enterprise T1007 系统服务发现

Epic uses the tasklist /svc command to list the services on the system.[1]
Enterprise T1049 系统网络连接发现

Epic uses the net use, net session, and netstat commands to gather information on network connections.[1][2]
Enterprise T1016 系统网络配置发现

Epic uses the nbtstat -n and nbtstat -s commands on the victim’s machine.[1]
Enterprise T1087 .001 账号发现: Local Account

Epic gathers a list of all user accounts, privilege classes, and time of last logon.[2]
Enterprise T1518 .001 软件发现: Security Software Discovery

Epic searches for anti-malware services running on the victim’s machine and terminates itself if it finds them.[1]
Enterprise T1057 进程发现

Epic uses the tasklist /v command to obtain a list of processes.[1][2]
Enterprise T1055 .011 进程注入: Extra Window Memory Injection

Epic has overwritten the function pointer in the extra window memory of Explorer's Shell_TrayWnd in order to execute malicious code in the context of the explorer.exe process.[3]
Enterprise T1018 远程系统发现

Epic uses the net view command on the victim’s machine.[1]
Enterprise T1553 .002 颠覆信任控制: Code Signing

Turla has used valid digital certificates from Sysprint AG to sign its Epic dropper.[1]

Groups That Use This Software

ID Name References
G0010 Turla

[1][4]

References

  1. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  2. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  1. Boutin, J. and Faou, M. (2018). Visiting the snake nest. Retrieved May 7, 2019.
  2. Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022.