1. Home
  2. Software
  3. HyperStack

HyperStack

HyperStack is a RPC-based backdoor used by Turla since at least 2018. HyperStack has similarities to other backdoors used by Turla including Carbon.[1]

ID: S0537
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 02 December 2020
Last Modified: 04 December 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1112 修改注册表

HyperStack can add the name of its communication pipe to HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipes.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

HyperStack has used RSA encryption for C2 communications.[1]
Enterprise T1078 .001 有效账户: Default Accounts

HyperStack can use default credentials to connect to IPC$ shares on remote machines.[1]
Enterprise T1106 本机API

HyperStack can use Windows API's ConnectNamedPipe and WNetAddConnection2 to detect incoming connections and connect to remote shares.[1]
Enterprise T1087 .001 账号发现: Local Account

HyperStack can enumerate all account names on a remote share.[1]
Enterprise T1559 进程间通信

HyperStack can connect to the IPC$ share on remote machines.[1]

Groups That Use This Software

ID Name References
G0010 Turla

[1]

References

  1. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.