SYMBOLCOMMON_NAMEaka. SYNONYMS
win.skipper (Back to overview)

Skipper

Actor(s): Turla Group


There is no description at this point.

References
2020-03-12ESET ResearchMatthieu Faou
@online{faou:20200312:tracking:913d16e, author = {Matthieu Faou}, title = {{Tracking Turla: New backdoor delivered via Armenian watering holes}}, date = {2020-03-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/}, language = {English}, urldate = {2020-03-13} } Tracking Turla: New backdoor delivered via Armenian watering holes
LightNeuron Mosquito NetFlash Skipper
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2019-05-19TelsyWebmaster
@online{webmaster:20190519:following:d15ba1c, author = {Webmaster}, title = {{Following the Turla’s Skipper over the ocean of cyber operations}}, date = {2019-05-19}, organization = {Telsy}, url = {https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/}, language = {English}, urldate = {2020-01-08} } Following the Turla’s Skipper over the ocean of cyber operations
Skipper
2018-10-04Kaspersky LabsGReAT
@online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2020-02-27} } Shedding Skin – Turla’s Fresh Faces
KopiLuwak Cobra Carbon System Gazer Mosquito Skipper
2017-06-06ESET ResearchJean-Ian Boutin
@online{boutin:20170606:turlas:f9b4935, author = {Jean-Ian Boutin}, title = {{Turla’s watering hole campaign: An updated Firefox extension abusing Instagram}}, date = {2017-06-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/}, language = {English}, urldate = {2019-11-14} } Turla’s watering hole campaign: An updated Firefox extension abusing Instagram
HTML5 Encoding Skipper
2016-06-30BitdefenderBitdefender
@techreport{bitdefender:20160630:pacifier:cbcb081, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf}, language = {English}, urldate = {2020-01-09} } Pacifier APT
Skipper
2015BitdefenderCristian Istrate, Andrei Ardelean, Claudiu Cobliș, Marius Tivadar
@techreport{istrate:2015:new:254e212, author = {Cristian Istrate and Andrei Ardelean and Claudiu Cobliș and Marius Tivadar}, title = {{New Pacifier APT Components Point to Russian-Linked Turla Group}}, date = {2015}, institution = {Bitdefender}, url = {https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf}, language = {English}, urldate = {2020-01-08} } New Pacifier APT Components Point to Russian-Linked Turla Group
Skipper
Yara Rules
[TLP:WHITE] win_skipper_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_skipper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a03 68???????? 68???????? 6a50 }
            // n = 4, score = 400
            //   6a03                 | push                3
            //   68????????           |                     
            //   68????????           |                     
            //   6a50                 | push                0x50

        $sequence_1 = { 59 5d c3 55 8bec 33c0 50 }
            // n = 7, score = 300
            //   59                   | pop                 ecx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   33c0                 | xor                 eax, eax
            //   50                   | push                eax

        $sequence_2 = { 6804010000 e8???????? 6804010000 8bf8 6a00 57 }
            // n = 6, score = 300
            //   6804010000           | push                0x104
            //   e8????????           |                     
            //   6804010000           | push                0x104
            //   8bf8                 | mov                 edi, eax
            //   6a00                 | push                0
            //   57                   | push                edi

        $sequence_3 = { ff15???????? 6a00 6a00 6a00 6a00 50 ff15???????? }
            // n = 7, score = 300
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_4 = { 0355fc 81e2ff000080 7908 4a 81ca00ffffff 42 8955fc }
            // n = 7, score = 200
            //   0355fc               | push                0
            //   81e2ff000080         | push                0
            //   7908                 | push                0x803000
            //   4a                   | push                0
            //   81ca00ffffff         | push                0
            //   42                   | mov                 dword ptr [ebp - 0x1ac0], eax
            //   8955fc               | mov                 eax, dword ptr [ebp - 0x1ad4]

        $sequence_5 = { 53 e8???????? 6804010000 e8???????? }
            // n = 4, score = 200
            //   53                   | push                ebx
            //   e8????????           |                     
            //   6804010000           | push                0x104
            //   e8????????           |                     

        $sequence_6 = { 0fb645f8 8a8c05f0feffff 888deffeffff 0fb655fc 0fb645f8 }
            // n = 5, score = 200
            //   0fb645f8             | pop                 ebp
            //   8a8c05f0feffff       | ret                 
            //   888deffeffff         | push                ebp
            //   0fb655fc             | mov                 ebp, esp
            //   0fb645f8             | xor                 eax, eax

        $sequence_7 = { 4403c0 4403c6 4181e0ff000080 7d0d }
            // n = 4, score = 200
            //   4403c0               | dec                 esp
            //   4403c6               | lea                 ebx, [esp + 0x110]
            //   4181e0ff000080       | dec                 ecx
            //   7d0d                 | mov                 ebx, dword ptr [ebx + 0x10]

        $sequence_8 = { 40 0fb60438 0fb6ca 03d8 03d9 81e3ff000080 }
            // n = 6, score = 200
            //   40                   | push                0x104
            //   0fb60438             | mov                 edi, eax
            //   0fb6ca               | push                0
            //   03d8                 | push                edi
            //   03d9                 | push                0
            //   81e3ff000080         | push                0

        $sequence_9 = { 4833cc e8???????? 4c8d9c2410010000 498b5b10 498b6b18 }
            // n = 5, score = 200
            //   4833cc               | dec                 ecx
            //   e8????????           |                     
            //   4c8d9c2410010000     | arpl                cx, bp
            //   498b5b10             | dec                 ecx
            //   498b6b18             | mov                 edi, eax

        $sequence_10 = { 83c404 6a00 6a64 52 50 }
            // n = 5, score = 200
            //   83c404               | push                edi
            //   6a00                 | push                0
            //   6a64                 | push                0
            //   52                   | push                0
            //   50                   | push                0

        $sequence_11 = { 0fb6c1 4c8d0424 488d1424 4c03c0 410fb6c2 }
            // n = 5, score = 200
            //   0fb6c1               | movzx               eax, cl
            //   4c8d0424             | dec                 esp
            //   488d1424             | lea                 eax, [esp]
            //   4c03c0               | dec                 eax
            //   410fb6c2             | lea                 edx, [esp]

        $sequence_12 = { 888c05f0feffff 0fb655fc 8a85effeffff 888415f0feffff 0fb64df8 }
            // n = 5, score = 200
            //   888c05f0feffff       | push                0x64
            //   0fb655fc             | add                 esp, 4
            //   8a85effeffff         | push                0
            //   888415f0feffff       | push                0x64
            //   0fb64df8             | push                edx

        $sequence_13 = { 888deffeffff 0fb695e8feffff 8b85e0feffff 8a8c15f0feffff 888c05f0feffff 0fb695e8feffff }
            // n = 6, score = 200
            //   888deffeffff         | push                0
            //   0fb695e8feffff       | push                0x803000
            //   8b85e0feffff         | push                0
            //   8a8c15f0feffff       | push                0
            //   888c05f0feffff       | push                0
            //   0fb695e8feffff       | push                0x803000

        $sequence_14 = { 8a8415f0feffff 8885eefeffff 8b4d10 038ddcfeffff 0fbe11 0fb685eefeffff 33d0 }
            // n = 7, score = 200
            //   8a8415f0feffff       | mov                 edx, dword ptr [eax*4 + 0x242fc0]
            //   8885eefeffff         | cmp                 dword ptr [esi + edx + 0x38], 0
            //   8b4d10               | je                  0x2b
            //   038ddcfeffff         | push                0
            //   0fbe11               | push                0
            //   0fb685eefeffff       | push                3
            //   33d0                 | push                0x50

        $sequence_15 = { 56 e8???????? 59 eb36 8b852ce5ffff 8b8d1ce5ffff 8b0485c02f2400 }
            // n = 7, score = 200
            //   56                   | push                eax
            //   e8????????           |                     
            //   59                   | push                0
            //   eb36                 | push                0
            //   8b852ce5ffff         | push                0
            //   8b8d1ce5ffff         | push                0
            //   8b0485c02f2400       | push                eax

        $sequence_16 = { 6800308000 6a00 6a00 68???????? }
            // n = 4, score = 200
            //   6800308000           | push                0x803000
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_17 = { 418bc1 8d1492 03d2 2bc2 4863d0 }
            // n = 5, score = 200
            //   418bc1               | movzx               edx, byte ptr [esp + eax]
            //   8d1492               | inc                 esp
            //   03d2                 | add                 edx, edx
            //   2bc2                 | dec                 eax
            //   4863d0               | xor                 ecx, esp

        $sequence_18 = { ffc1 4863c1 0fb61404 4403d2 }
            // n = 4, score = 200
            //   ffc1                 | dec                 eax
            //   4863c1               | lea                 edx, [esp]
            //   0fb61404             | inc                 esp
            //   4403d2               | mov                 edx, ecx

        $sequence_19 = { 8b85e0feffff 83c001 8985e0feffff 81bde0feffff00010000 }
            // n = 4, score = 200
            //   8b85e0feffff         | push                eax
            //   83c001               | add                 esp, 4
            //   8985e0feffff         | push                0
            //   81bde0feffff00010000     | push    0x64

        $sequence_20 = { 0fb61404 4232541fff 418853ff 48ffcb 0f8575ffffff }
            // n = 5, score = 200
            //   0fb61404             | dec                 ecx
            //   4232541fff           | mov                 ebp, dword ptr [ebx + 0x18]
            //   418853ff             | inc                 ecx
            //   48ffcb               | dec                 eax
            //   0f8575ffffff         | arpl                cx, ax

        $sequence_21 = { 0f95c0 85c0 74dc e8???????? 85c0 78e3 }
            // n = 6, score = 200
            //   0f95c0               | setne               al
            //   85c0                 | test                eax, eax
            //   74dc                 | je                  0xffffffde
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   78e3                 | js                  0xffffffe5

        $sequence_22 = { e9???????? c785dcfeffff00000000 eb0f 8b8ddcfeffff }
            // n = 4, score = 200
            //   e9????????           |                     
            //   c785dcfeffff00000000     | push    0
            //   eb0f                 | push                3
            //   8b8ddcfeffff         | push                0x50

        $sequence_23 = { 81ca00ffffff 42 0fb6d2 8a8415f0feffff 8885eefeffff 8b4d10 }
            // n = 6, score = 200
            //   81ca00ffffff         | push                eax
            //   42                   | push                0
            //   0fb6d2               | push                0
            //   8a8415f0feffff       | push                0
            //   8885eefeffff         | push                0
            //   8b4d10               | push                eax

        $sequence_24 = { 48896c2410 4889742418 48897c2420 4156 4881ec10010000 488b05???????? }
            // n = 6, score = 200
            //   48896c2410           | push                0x64
            //   4889742418           | push                edx
            //   48897c2420           | push                eax
            //   4156                 | add                 esp, 4
            //   4881ec10010000       | push                0
            //   488b05????????       |                     

        $sequence_25 = { 33c9 4963e9 498bf8 488d1424 448bd1 }
            // n = 5, score = 200
            //   33c9                 | dec                 esp
            //   4963e9               | add                 eax, eax
            //   498bf8               | inc                 ecx
            //   488d1424             | movzx               eax, dl
            //   448bd1               | xor                 ecx, ecx

        $sequence_26 = { e8???????? 6804010000 6a00 ff770c e8???????? 6800803801 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   6804010000           | pop                 ecx
            //   6a00                 | pop                 ebp
            //   ff770c               | ret                 
            //   e8????????           |                     
            //   6800803801           | push                ebp

        $sequence_27 = { 488bc3 488d1582b20000 48c1f805 83e11f 488b04c2 }
            // n = 5, score = 100
            //   488bc3               | inc                 eax
            //   488d1582b20000       | movzx               eax, byte ptr [eax + edi]
            //   48c1f805             | movzx               ecx, dl
            //   83e11f               | add                 ebx, eax
            //   488b04c2             | add                 ebx, ecx

        $sequence_28 = { 6a00 8b95e4feffff 52 ff15???????? 8985d8feffff 6a00 }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   8b95e4feffff         | mov                 edx, dword ptr [ebp - 0x11c]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8985d8feffff         | mov                 dword ptr [ebp - 0x128], eax
            //   6a00                 | push                0

        $sequence_29 = { 8b8dd0feffff 51 6a00 6a00 8b95e4feffff 52 }
            // n = 6, score = 100
            //   8b8dd0feffff         | mov                 ecx, dword ptr [ebp - 0x130]
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8b95e4feffff         | mov                 edx, dword ptr [ebp - 0x11c]
            //   52                   | push                edx

        $sequence_30 = { 4053 4883ec20 488bd9 e8???????? 488d052fae0000 }
            // n = 5, score = 100
            //   4053                 | push                edi
            //   4883ec20             | push                0x104
            //   488bd9               | push                0x104
            //   e8????????           |                     
            //   488d052fae0000       | mov                 edi, eax

        $sequence_31 = { 488d1ddda40000 488b0b ff15???????? ffc7 488903 }
            // n = 5, score = 100
            //   488d1ddda40000       | mov                 eax, dword ptr [ebp - 0x1ad4]
            //   488b0b               | mov                 eax, dword ptr [eax*4 + 0x242fc0]
            //   ff15????????         |                     
            //   ffc7                 | test                byte ptr [esi + eax + 4], 0x80
            //   488903               | je                  0x31e

        $sequence_32 = { 488d3d18a80000 482bfe 8a041f 8803 }
            // n = 4, score = 100
            //   488d3d18a80000       | push                ebx
            //   482bfe               | push                0x104
            //   8a041f               | push                esi
            //   8803                 | pop                 ecx

        $sequence_33 = { 8b4508 ff34c570a02300 ff15???????? 5d c3 }
            // n = 5, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   ff34c570a02300       | push                dword ptr [eax*8 + 0x23a070]
            //   ff15????????         |                     
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_34 = { c1ff05 8bf0 8b0cbd606d4100 83e61f c1e606 f6440e0401 }
            // n = 6, score = 100
            //   c1ff05               | sar                 edi, 5
            //   8bf0                 | mov                 esi, eax
            //   8b0cbd606d4100       | mov                 ecx, dword ptr [edi*4 + 0x416d60]
            //   83e61f               | and                 esi, 0x1f
            //   c1e606               | shl                 esi, 6
            //   f6440e0401           | test                byte ptr [esi + ecx + 4], 1

        $sequence_35 = { 75e1 8bbdccfeffff 8b0d???????? 890f 8b15???????? }
            // n = 5, score = 100
            //   75e1                 | jne                 0xffffffe3
            //   8bbdccfeffff         | mov                 edi, dword ptr [ebp - 0x134]
            //   8b0d????????         |                     
            //   890f                 | mov                 dword ptr [edi], ecx
            //   8b15????????         |                     

        $sequence_36 = { 6a00 8b85d8feffff 50 8b8dd0feffff 51 6a00 }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   8b85d8feffff         | mov                 eax, dword ptr [ebp - 0x128]
            //   50                   | push                eax
            //   8b8dd0feffff         | mov                 ecx, dword ptr [ebp - 0x130]
            //   51                   | push                ecx
            //   6a00                 | push                0

        $sequence_37 = { a1???????? 33c5 8945fc 57 8d85f0feffff 50 }
            // n = 6, score = 100
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   57                   | push                edi
            //   8d85f0feffff         | lea                 eax, [ebp - 0x110]
            //   50                   | push                eax

        $sequence_38 = { ff15???????? 488bc8 ff15???????? 488d15d1580000 488bcb 488905???????? }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   488bc8               | and                 ebx, 0x800000ff
            //   ff15????????         |                     
            //   488d15d1580000       | test                eax, eax
            //   488bcb               | je                  0x31e
            //   488905????????       |                     

        $sequence_39 = { 418bd7 e8???????? 33c9 85c0 0f85bb010000 4c8d350ef00000 }
            // n = 6, score = 100
            //   418bd7               | dec                 eax
            //   e8????????           |                     
            //   33c9                 | lea                 eax, [0xae2f]
            //   85c0                 | dec                 eax
            //   0f85bb010000         | lea                 edi, [0xa818]
            //   4c8d350ef00000       | dec                 eax

        $sequence_40 = { 8bec 8b4508 33c9 3b04cda8a72300 7413 41 }
            // n = 6, score = 100
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   33c9                 | xor                 ecx, ecx
            //   3b04cda8a72300       | cmp                 eax, dword ptr [ecx*8 + 0x23a7a8]
            //   7413                 | je                  0x15
            //   41                   | inc                 ecx

        $sequence_41 = { c3 48895c2408 57 4883ec20 488d05879b0000 8bda 488bf9 }
            // n = 7, score = 100
            //   c3                   | jmp                 0x39
            //   48895c2408           | mov                 eax, dword ptr [ebp - 0x1ad4]
            //   57                   | mov                 ecx, dword ptr [ebp - 0x1ae4]
            //   4883ec20             | mov                 eax, dword ptr [eax*4 + 0x242fc0]
            //   488d05879b0000       | push                0x104
            //   8bda                 | push                0
            //   488bf9               | push                dword ptr [edi + 0xc]

        $sequence_42 = { 85c0 7408 8bcb ff15???????? e8???????? 488d15327f0000 488d0dfb7e0000 }
            // n = 7, score = 100
            //   85c0                 | push                0x1388000
            //   7408                 | mov                 esi, eax
            //   8bcb                 | mov                 ecx, dword ptr [edi*4 + 0x242fc0]
            //   ff15????????         |                     
            //   e8????????           |                     
            //   488d15327f0000       | and                 esi, 0x1f
            //   488d0dfb7e0000       | shl                 esi, 6

        $sequence_43 = { 8bc6 c1f805 83e61f c1e606 03348520b72300 8b45e4 8b00 }
            // n = 7, score = 100
            //   8bc6                 | mov                 eax, esi
            //   c1f805               | sar                 eax, 5
            //   83e61f               | and                 esi, 0x1f
            //   c1e606               | shl                 esi, 6
            //   03348520b72300       | add                 esi, dword ptr [eax*4 + 0x23b720]
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   8b00                 | mov                 eax, dword ptr [eax]

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules