Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. Turla is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. Turla’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines. (Citation: Kaspersky Turla) (Citation: ESET Gazer Aug 2017) (Citation: CrowdStrike VENOMOUS BEAR) (Citation: ESET Turla Mosquito Jan 2018)
| Platform | Tactic | Technique | Description | Data Sources |
|---|---|---|---|---|
| Linux, macOS, Windows | exfiltration | Data Encrypted | Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration. | File monitoring, Process monitoring, Process command-line parameters, Binary file metadata |
| Linux, macOS, Windows | exfiltration | Exfiltration Over Alternative Protocol | Turla has used WebDAV to upload stolen USB files to a cloud drive. | User interface, Process monitoring, Process use of network, Packet capture, Netflow/Enclave netflow, Network protocol analysis |
| Linux, macOS, Windows | defense-evasion, execution | Scripting | Turla has used PowerShell and VBS scripts throughout its operations. | Process monitoring, File monitoring, Process command-line parameters |
| Linux, macOS, Windows, AWS, GCP, Azure | credential-access | Credentials in Files | Turla has gathered credentials from the Windows Credential Manager tool. | File monitoring, Process command-line parameters |
| Linux, macOS, Windows | execution | Command-Line Interface | Turla RPC backdoors have used cmd.exe to execute commands. | Process monitoring, Process command-line parameters |
| Linux, macOS, Windows, GCP, AWS, Azure | collection | Data from Local System | Turla RPC backdoors can upload files from victim machines. | File monitoring, Process monitoring, Process command-line parameters |
| Windows | defense-evasion, privilege-escalation | Access Token Manipulation | Turla RPC backdoors can impersonate or steal process tokens before executing commands. | API monitoring, Access tokens, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | collection | Data from Removable Media | Turla RPC backdoors can collect files from USB thumb drives. | File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | command-and-control, defense-evasion | Connection Proxy | Turla RPC backdoors have included local UPnP RPC proxies. | Process use of network, Process monitoring, Netflow/Enclave netflow, Packet capture |
| Windows | defense-evasion | Deobfuscate/Decode Files or Information | Turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile, to decode encrypted PowerShell payloads. | File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | defense-evasion | Disabling Security Tools | Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products. | API monitoring, File monitoring, Services, Windows Registry, Process command-line parameters, Anti-virus |
| Windows | execution | Execution through API | Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes. | API monitoring, Process monitoring |
| Windows | persistence | Windows Management Instrumentation Event Subscription | Turla has used WMI event filters and consumers to establish persistence. | WMI Objects |
| Linux, macOS, Windows | defense-evasion | Obfuscated Files or Information | Turla has used encryption (including salted 3DES via PowerSploit's Out-EncryptedScript.ps1), random variable names, and base64 encoding to obfuscate PowerShell commands and payloads. |
Network protocol analysis, Process use of network, File monitoring, Malware reverse engineering, Binary file metadata, Process command-line parameters, Environment variable, Process monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection |
| Windows | defense-evasion | Modify Registry | Turla has used the Registry to store encrypted payloads. | Windows Registry, File monitoring, Process monitoring, Process command-line parameters, Windows event logs |
| Windows | persistence, privilege-escalation | PowerShell Profile | Turla has used PowerShell profiles to maintain persistence on an infected machine. | Process monitoring, File monitoring, PowerShell logs |
| Windows, macOS, Linux | initial-access | Spearphishing Attachment | Turla has used spearphishing emails to deliver BrainTest as a malicious attachment. | File monitoring, Packet capture, Network intrusion detection system, Detonation chamber, Email gateway, Mail server |
| Windows, macOS, Linux, Office 365, SaaS | initial-access | Spearphishing Link | Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access. | Packet capture, Web proxy, Email gateway, Detonation chamber, SSL/TLS inspection, DNS records, Mail server |
| Windows | execution | PowerShell | Turla has used PowerShell to execute commands/scripts, in some cases via a custom executable or code from Empire's PSInject. Turla has also used PowerShell scripts to load and execute malware in memory. | PowerShell logs, Loaded DLLs, DLL monitoring, Windows Registry, File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | defense-evasion, privilege-escalation | Process Injection | Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges. Turla has also used PowerSploit's Invoke-ReflectivePEInjection.ps1 to reflectively load a PowerShell payload into a random process on the victim system. |
API monitoring, Windows Registry, File monitoring, DLL monitoring, Process monitoring, Named Pipes |
| Windows | persistence | Winlogon Helper DLL | Turla established persistence by adding a Shell value under the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion]Winlogon. |
Windows Registry, File monitoring, Process monitoring |
| Windows | persistence | Registry Run Keys / Startup Folder | A Turla Javascript backdoor added a local_update_check value under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence. |
Windows Registry, File monitoring |
| Linux, Windows, macOS | execution | User Execution | Turla has used spearphishing via a link to get users to download and run their malware. | Anti-virus, Process command-line parameters, Process monitoring |
| Linux, macOS, Windows | command-and-control, lateral-movement | Remote File Copy | Turla has used shellcode to download Meterpreter after compromising a victim. Turla RPC backdoors can also download files onto victim machines. | File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring |
| Linux, macOS, Windows | command-and-control, defense-evasion | Web Service | A Turla JavaScript backdoor has used Google Apps Script as its C2 server. | Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection |
| Linux, macOS, Windows | command-and-control | Standard Application Layer Protocol | Turla has used HTTP and HTTPS for C2 communications. | Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring |
| Linux, macOS, Windows | defense-evasion | Indicator Removal from Tools | Based on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe. | Process use of network, Process monitoring, Process command-line parameters, Anti-virus, Binary file metadata |
| Linux, macOS, Windows | discovery | File and Directory Discovery | Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, and in the Program Files directory. Turla RPC backdoors have also searched for files matching the lPH*.dll pattern. |
File monitoring, Process monitoring, Process command-line parameters |
| Windows | discovery | Query Registry | Turla surveys a system upon check-in to discover information in the Windows Registry with the reg query command. Turla has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes . |
Windows Registry, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows, Office 365, Azure AD, SaaS | credential-access | Brute Force | Turla may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords. |
Office 365 account logs, Authentication logs |
| Linux, macOS, Windows, AWS, GCP, Azure | discovery | System Information Discovery | Turla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands. |
Azure activity logs, Stackdriver logs, AWS CloudTrail logs, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows, AWS, GCP, Azure | discovery | System Network Connections Discovery | Turla surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands. Turla RPC backdoors have also enumerated the IPv4 TCP connection table via the GetTcpTable2 API call. |
Process monitoring, Process command-line parameters |
| Windows | discovery | System Time Discovery | Turla surveys a system upon check-in to discover the system time by using the net time command. |
Process monitoring, Process command-line parameters, API monitoring |
| Linux, macOS, Windows, GCP, Azure, AWS | discovery | Remote System Discovery | Turla surveys a system upon check-in to discover remote systems on a local network using the net view and net view /DOMAIN commands. |
Network protocol analysis, Process monitoring, Process use of network, Process command-line parameters |
| Windows | lateral-movement | Windows Admin Shares | Turla used net use commands to connect to lateral systems within a network. |
Process use of network, Authentication logs, Process monitoring, Process command-line parameters |
| Windows | discovery | System Service Discovery | Turla surveys a system upon check-in to discover running services and associated processes using the tasklist /svc command. |
Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | discovery | Process Discovery | Turla surveys a system upon check-in to discover running processes using the tasklist /v command. Turla RPC backdoors have also enumerated processes associated with specific open ports or named pipes. |
Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | discovery | System Network Configuration Discovery | Turla surveys a system upon check-in to discover network configuration details using the arp -a, nbtstat -n, nbtscan, and net config commands. Turla RPC backdoors have also retrieved registered RPC interface information from process memory. |
Process monitoring, Process command-line parameters |