Turla | APT Profile

Description

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as [Uroburos](https://attack.mitre.org/software/S0022).(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)

Techniques Used (TTPs)

T1584.006 — Web Services (resource-development)
T1112 — Modify Registry (defense-evasion, persistence)
T1069.001 — Local Groups (discovery)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1588.002 — Tool (resource-development)
T1059.007 — JavaScript (execution)
T1134.002 — Create Process with Token (defense-evasion, privilege-escalation)
T1562.001 — Disable or Modify Tools (defense-evasion)
T1059.005 — Visual Basic (execution)
T1546.013 — PowerShell Profile (privilege-escalation, persistence)
T1583.006 — Web Services (resource-development)
T1055.001 — Dynamic-link Library Injection (defense-evasion, privilege-escalation)
T1105 — Ingress Tool Transfer (command-and-control)
T1555.004 — Windows Credential Manager (credential-access)
T1090 — Proxy (command-and-control)
T1068 — Exploitation for Privilege Escalation (privilege-escalation)
T1615 — Group Policy Discovery (discovery)
T1049 — System Network Connections Discovery (discovery)
T1106 — Native API (execution)
T1071.003 — Mail Protocols (command-and-control)
T1021.002 — SMB/Windows Admin Shares (lateral-movement)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1005 — Data from Local System (collection)
T1012 — Query Registry (discovery)
T1007 — System Service Discovery (discovery)
T1110 — Brute Force (credential-access)
T1570 — Lateral Tool Transfer (lateral-movement)
T1189 — Drive-by Compromise (initial-access)
T1584.004 — Server (resource-development)
T1087.002 — Domain Account (discovery)
T1564.012 — File/Path Exclusions (defense-evasion)
T1120 — Peripheral Device Discovery (discovery)
T1567.002 — Exfiltration to Cloud Storage (exfiltration)
T1102.002 — Bidirectional Communication (command-and-control)
T1071.001 — Web Protocols (command-and-control)
T1124 — System Time Discovery (discovery)
T1087.001 — Local Account (discovery)
T1204.001 — Malicious Link (execution)
T1090.001 — Internal Proxy (command-and-control)
T1546.003 — Windows Management Instrumentation Event Subscription (privilege-escalation, persistence)
T1560.001 — Archive via Utility (collection)
T1059.003 — Windows Command Shell (execution)
T1057 — Process Discovery (discovery)
T1016 — System Network Configuration Discovery (discovery)
T1587.001 — Malware (resource-development)
T1025 — Data from Removable Media (collection)
T1518.001 — Security Software Discovery (discovery)
T1059.001 — PowerShell (execution)
T1027.010 — Command Obfuscation (defense-evasion)
T1059.006 — Python (execution)
T1213 — Data from Information Repositories (collection)
T1018 — Remote System Discovery (discovery)
T1588.001 — Malware (resource-development)
T1069.002 — Domain Groups (discovery)
T1027.011 — Fileless Storage (defense-evasion)
T1547.004 — Winlogon Helper DLL (persistence, privilege-escalation)
T1553.006 — Code Signing Policy Modification (defense-evasion)
T1566.002 — Spearphishing Link (initial-access)
T1016.001 — Internet Connection Discovery (discovery)
T1102 — Web Service (command-and-control)
T1082 — System Information Discovery (discovery)
T1584.003 — Virtual Private Server (resource-development)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1055 — Process Injection (defense-evasion, privilege-escalation)
T1078.003 — Local Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1201 — Password Policy Discovery (discovery)
T1083 — File and Directory Discovery (discovery)
T1027.005 — Indicator Removal from Tools (defense-evasion)

Total TTPs: 68

Malware & Tools

Malware: Carbon, ComRAT, Crutch, Epic, Gazer, HyperStack, KOPILUWAK, Kazuar, LightNeuron, LunarLoader, LunarMail, LunarWeb, Mosquito, Penquin, PowerStallion, TinyTurla, Uroburos

Tools: Arp, Empire, IronNetInjector, Mimikatz, NBTscan, Net, PsExec, Reg, Systeminfo, Tasklist, certutil, nbtstat, netstat

← Return to Home ← Back to APT Search