SYMBOLCOMMON_NAMEaka. SYNONYMS
win.skipper (Back to overview)

Skipper

Actor(s): Turla Group

There is no description at this point.

References
2020-03-12ESET ResearchMatthieu Faou
@online{faou:20200312:tracking:913d16e, author = {Matthieu Faou}, title = {{Tracking Turla: New backdoor delivered via Armenian watering holes}}, date = {2020-03-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/}, language = {English}, urldate = {2020-03-13} } Tracking Turla: New backdoor delivered via Armenian watering holes
LightNeuron Mosquito NetFlash Skipper
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2019-05-19TelsyWebmaster
@online{webmaster:20190519:following:d15ba1c, author = {Webmaster}, title = {{Following the Turla’s Skipper over the ocean of cyber operations}}, date = {2019-05-19}, organization = {Telsy}, url = {https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/}, language = {English}, urldate = {2020-01-08} } Following the Turla’s Skipper over the ocean of cyber operations
Skipper
2018-10-04Kaspersky LabsGReAT
@online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2020-02-27} } Shedding Skin – Turla’s Fresh Faces
KopiLuwak Cobra Carbon System Gazer Mosquito Skipper
2017-06-06ESET ResearchJean-Ian Boutin
@online{boutin:20170606:turlas:f9b4935, author = {Jean-Ian Boutin}, title = {{Turla’s watering hole campaign: An updated Firefox extension abusing Instagram}}, date = {2017-06-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/}, language = {English}, urldate = {2019-11-14} } Turla’s watering hole campaign: An updated Firefox extension abusing Instagram
HTML5 Encoding Skipper
2016-06-30BitdefenderBitdefender
@techreport{bitdefender:20160630:pacifier:cbcb081, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf}, language = {English}, urldate = {2020-01-09} } Pacifier APT
Skipper
2015BitdefenderCristian Istrate, Andrei Ardelean, Claudiu Cobliș, Marius Tivadar
@techreport{istrate:2015:new:254e212, author = {Cristian Istrate and Andrei Ardelean and Claudiu Cobliș and Marius Tivadar}, title = {{New Pacifier APT Components Point to Russian-Linked Turla Group}}, date = {2015}, institution = {Bitdefender}, url = {https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf}, language = {English}, urldate = {2020-01-08} } New Pacifier APT Components Point to Russian-Linked Turla Group
Skipper
Yara Rules
[TLP:WHITE] win_skipper_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_skipper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a03 68???????? 68???????? 6a50 }
            // n = 4, score = 600
            //   6a03                 | push                3
            //   68????????           |                     
            //   68????????           |                     
            //   6a50                 | push                0x50

        $sequence_1 = { 59 5d c3 55 8bec 33c0 50 }
            // n = 7, score = 500
            //   59                   | pop                 ecx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   33c0                 | xor                 eax, eax
            //   50                   | push                eax

        $sequence_2 = { ff15???????? 6a00 6a00 6a00 6a00 50 }
            // n = 6, score = 500
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_3 = { 6804010000 e8???????? 6804010000 8bf8 6a00 }
            // n = 5, score = 500
            //   6804010000           | push                0x104
            //   e8????????           |                     
            //   6804010000           | push                0x104
            //   8bf8                 | mov                 edi, eax
            //   6a00                 | push                0

        $sequence_4 = { 0fb68405fcfeffff 320439 47 8847ff 4e }
            // n = 5, score = 400
            //   0fb68405fcfeffff     | push                0
            //   320439               | push                0
            //   47                   | push                0x104
            //   8847ff               | push                0x104
            //   4e                   | mov                 edi, eax

        $sequence_5 = { 03d0 8b85f8feffff 8a1a 0fb6c0 }
            // n = 4, score = 400
            //   03d0                 | push                0
            //   8b85f8feffff         | push                0
            //   8a1a                 | push                0
            //   0fb6c0               | push                0

        $sequence_6 = { e8???????? 6804010000 c7470400000000 e8???????? 6804010000 6a00 50 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   6804010000           | push                0x104
            //   c7470400000000       | push                0x104
            //   e8????????           |                     
            //   6804010000           | mov                 edi, eax
            //   6a00                 | push                0
            //   50                   | push                edi

        $sequence_7 = { 6800308000 6a00 6a00 68???????? }
            // n = 4, score = 300
            //   6800308000           | push                0x803000
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   68????????           |                     

        $sequence_8 = { 83c404 6a00 6a64 52 50 e8???????? }
            // n = 6, score = 300
            //   83c404               | push                0
            //   6a00                 | push                0
            //   6a64                 | push                0
            //   52                   | push                eax
            //   50                   | push                0x104
            //   e8????????           |                     

        $sequence_9 = { 53 e8???????? 6804010000 e8???????? }
            // n = 4, score = 300
            //   53                   | push                ebx
            //   e8????????           |                     
            //   6804010000           | push                0x104
            //   e8????????           |                     

        $sequence_10 = { e8???????? 83c404 6a00 6a64 }
            // n = 4, score = 300
            //   e8????????           |                     
            //   83c404               | mov                 edi, eax
            //   6a00                 | push                eax
            //   6a64                 | push                0

        $sequence_11 = { 81c900ffffff 41 898de8feffff 8b85e0feffff 8a8c05f0feffff 888deffeffff }
            // n = 6, score = 200
            //   81c900ffffff         | push                edx
            //   41                   | push                eax
            //   898de8feffff         | jmp                 0xffffffd2
            //   8b85e0feffff         | mov                 dword ptr [ebp - 0x118], 0
            //   8a8c05f0feffff       | mov                 dword ptr [ebp - 0x120], 0
            //   888deffeffff         | jmp                 0x1b

        $sequence_12 = { 450fb608 4803d0 0fb602 418800 }
            // n = 4, score = 200
            //   450fb608             | movzx               eax, cl
            //   4803d0               | dec                 esp
            //   0fb602               | lea                 eax, [esp]
            //   418800               | dec                 eax

        $sequence_13 = { 0fb6c1 4c8d0424 488d1424 4c03c0 }
            // n = 4, score = 200
            //   0fb6c1               | inc                 ecx
            //   4c8d0424             | dec                 eax
            //   488d1424             | arpl                cx, ax
            //   4c03c0               | movzx               edx, byte ptr [esp + eax]

        $sequence_14 = { f77d0c 8b4508 0fb61410 03ca 81e1ff000080 }
            // n = 5, score = 200
            //   f77d0c               | push                0x64
            //   8b4508               | push                edx
            //   0fb61410             | push                eax
            //   03ca                 | add                 esp, 4
            //   81e1ff000080         | push                0

        $sequence_15 = { 408832 4181f900010000 7c9a 488bdd 85ed 0f8e8e000000 }
            // n = 6, score = 200
            //   408832               | inc                 eax
            //   4181f900010000       | mov                 byte ptr [edx], dh
            //   7c9a                 | inc                 ecx
            //   488bdd               | cmp                 ecx, 0x100
            //   85ed                 | jl                  0xffffff9c
            //   0f8e8e000000         | dec                 eax

        $sequence_16 = { 81e1ff000080 7908 49 81c900ffffff 41 898de8feffff }
            // n = 6, score = 200
            //   81e1ff000080         | mov                 edi, eax
            //   7908                 | push                0
            //   49                   | push                edi
            //   81c900ffffff         | pop                 ecx
            //   41                   | pop                 ebp
            //   898de8feffff         | ret                 

        $sequence_17 = { 4889842400010000 4c8b9c2440010000 33c9 4963e9 }
            // n = 4, score = 200
            //   4889842400010000     | movzx               ecx, byte ptr [eax]
            //   4c8b9c2440010000     | dec                 eax
            //   33c9                 | add                 edx, eax
            //   4963e9               | movzx               eax, byte ptr [edx]

        $sequence_18 = { 488b8c2400010000 4833cc e8???????? 4c8d9c2410010000 498b5b10 }
            // n = 5, score = 200
            //   488b8c2400010000     | lea                 edx, [esp]
            //   4833cc               | dec                 esp
            //   e8????????           |                     
            //   4c8d9c2410010000     | add                 eax, eax
            //   498b5b10             | inc                 ebp

        $sequence_19 = { 038ddcfeffff 8811 e9???????? b001 8b4df4 33cd e8???????? }
            // n = 7, score = 200
            //   038ddcfeffff         | push                0
            //   8811                 | push                3
            //   e9????????           |                     
            //   b001                 | push                0x50
            //   8b4df4               | push                0
            //   33cd                 | push                3
            //   e8????????           |                     

        $sequence_20 = { 0f8e8e000000 492bfb ffc1 81e1ff000080 }
            // n = 4, score = 200
            //   0f8e8e000000         | inc                 ecx
            //   492bfb               | mov                 byte ptr [eax], al
            //   ffc1                 | dec                 eax
            //   81e1ff000080         | mov                 ecx, dword ptr [esp + 0x100]

        $sequence_21 = { 7907 48 0d00ffffff 40 8945f8 8b4df8 0fb6940df0feffff }
            // n = 7, score = 200
            //   7907                 | push                0
            //   48                   | push                0
            //   0d00ffffff           | push                0
            //   40                   | push                eax
            //   8945f8               | push                edi
            //   8b4df8               | push                8
            //   0fb6940df0feffff     | push                0

        $sequence_22 = { 8a85effeffff 888415f0feffff 0fb64df8 0fb6940df0feffff 0fb645fc 0fb68c05f0feffff }
            // n = 6, score = 200
            //   8a85effeffff         | push                0x64
            //   888415f0feffff       | push                edx
            //   0fb64df8             | push                eax
            //   0fb6940df0feffff     | add                 esp, 4
            //   0fb645fc             | push                0
            //   0fb68c05f0feffff     | push                0x64

        $sequence_23 = { ffc0 488d5201 3d00010000 7cf1 448bc1 448bc9 }
            // n = 6, score = 200
            //   ffc0                 | dec                 eax
            //   488d5201             | xor                 ecx, esp
            //   3d00010000           | dec                 esp
            //   7cf1                 | lea                 ebx, [esp + 0x110]
            //   448bc1               | dec                 ecx
            //   448bc9               | mov                 ebx, dword ptr [ebx + 0x10]

        $sequence_24 = { ebd0 c785e8feffff00000000 c785e0feffff00000000 eb0f 8b85e0feffff }
            // n = 5, score = 200
            //   ebd0                 | mov                 edi, eax
            //   c785e8feffff00000000     | push    0
            //   c785e0feffff00000000     | push    edi
            //   eb0f                 | push                0x104
            //   8b85e0feffff         | push                0x104

        $sequence_25 = { 81e1ff000080 7d0a ffc9 81c900ffffff ffc1 4863c1 0fb61404 }
            // n = 7, score = 200
            //   81e1ff000080         | mov                 ebx, ebp
            //   7d0a                 | test                ebp, ebp
            //   ffc9                 | jle                 0x96
            //   81c900ffffff         | and                 ecx, 0x800000ff
            //   ffc1                 | jge                 0xc
            //   4863c1               | dec                 ecx
            //   0fb61404             | or                  ecx, 0xffffff00

        $sequence_26 = { 8955fc 0fb645f8 8a8c05f0feffff 888deffeffff 0fb655fc }
            // n = 5, score = 200
            //   8955fc               | push                ebp
            //   0fb645f8             | mov                 ebp, esp
            //   8a8c05f0feffff       | xor                 eax, eax
            //   888deffeffff         | push                eax
            //   0fb655fc             | push                0

        $sequence_27 = { 0f84a9010000 488bc8 ff15???????? 488d15e1580000 488bcb }
            // n = 5, score = 100
            //   0f84a9010000         | jne                 0x295
            //   488bc8               | inc                 ecx
            //   ff15????????         |                     
            //   488d15e1580000       | inc                 edi
            //   488bcb               | dec                 eax

        $sequence_28 = { c785d4feffff3a040000 eb0a c785d4feffffffff1f00 8b4508 }
            // n = 4, score = 100
            //   c785d4feffff3a040000     | mov    dword ptr [ebp - 0x12c], 0x43a
            //   eb0a                 | jmp                 0xc
            //   c785d4feffffffff1f00     | mov    dword ptr [ebp - 0x12c], 0x1fffff
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_29 = { 83c40c c78560ffffff94000000 8d8d60ffffff 51 ff15???????? 83bd64ffffff05 }
            // n = 6, score = 100
            //   83c40c               | add                 esp, 0xc
            //   c78560ffffff94000000     | mov    dword ptr [ebp - 0xa0], 0x94
            //   8d8d60ffffff         | lea                 ecx, [ebp - 0xa0]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   83bd64ffffff05       | cmp                 dword ptr [ebp - 0x9c], 5

        $sequence_30 = { e8???????? 488d05bf7f0000 488d5547 488d4de7 48894547 e8???????? 488d05977f0000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d05bf7f0000       | push                eax
            //   488d5547             | push                0x104
            //   488d4de7             | push                0x104
            //   48894547             | mov                 edi, eax
            //   e8????????           |                     
            //   488d05977f0000       | push                0x104

        $sequence_31 = { 4863c6 488d15e5b90000 ffc6 488d0c80 488d0cca baa00f0000 }
            // n = 6, score = 100
            //   4863c6               | push                edi
            //   488d15e5b90000       | push                eax
            //   ffc6                 | push                0
            //   488d0c80             | push                0
            //   488d0cca             | push                0
            //   baa00f0000           | push                0

        $sequence_32 = { 8985e4feffff 6a04 6800300000 6804010000 6a00 8b95e4feffff 52 }
            // n = 7, score = 100
            //   8985e4feffff         | mov                 dword ptr [ebp - 0x11c], eax
            //   6a04                 | push                4
            //   6800300000           | push                0x3000
            //   6804010000           | push                0x104
            //   6a00                 | push                0
            //   8b95e4feffff         | mov                 edx, dword ptr [ebp - 0x11c]
            //   52                   | push                edx

        $sequence_33 = { 488d15f5be0000 488bc8 e8???????? 84c0 0f858d020000 41ffc7 4883c614 }
            // n = 7, score = 100
            //   488d15f5be0000       | push                0
            //   488bc8               | push                0
            //   e8????????           |                     
            //   84c0                 | push                eax
            //   0f858d020000         | push                0
            //   41ffc7               | push                0
            //   4883c614             | push                0

        $sequence_34 = { 8d34fd1ca92300 ff36 e8???????? 59 }
            // n = 4, score = 100
            //   8d34fd1ca92300       | lea                 esi, [edi*8 + 0x23a91c]
            //   ff36                 | push                dword ptr [esi]
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_35 = { 55 8bec 8b4508 ff34c570a02300 ff15???????? }
            // n = 5, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   ff34c570a02300       | push                dword ptr [eax*8 + 0x23a070]
            //   ff15????????         |                     

        $sequence_36 = { 4885c0 7528 ff15???????? 83f857 0f85db010000 488d0df4580000 ff15???????? }
            // n = 7, score = 100
            //   4885c0               | add                 esi, 0x14
            //   7528                 | dec                 esp
            //   ff15????????         |                     
            //   83f857               | lea                 ebx, [eax + eax*2]
            //   0f85db010000         | dec                 esp
            //   488d0df4580000       | lea                 esi, [0x9e15]
            //   ff15????????         |                     

        $sequence_37 = { 8d34c570a02300 833e00 7513 50 }
            // n = 4, score = 100
            //   8d34c570a02300       | lea                 esi, [eax*8 + 0x23a070]
            //   833e00               | cmp                 dword ptr [esi], 0
            //   7513                 | jne                 0x15
            //   50                   | push                eax

        $sequence_38 = { 898ddcfeffff 8d95e0feffff 52 6a00 8b85d8feffff 50 8b8dd0feffff }
            // n = 7, score = 100
            //   898ddcfeffff         | mov                 dword ptr [ebp - 0x124], ecx
            //   8d95e0feffff         | lea                 edx, [ebp - 0x120]
            //   52                   | push                edx
            //   6a00                 | push                0
            //   8b85d8feffff         | mov                 eax, dword ptr [ebp - 0x128]
            //   50                   | push                eax
            //   8b8dd0feffff         | mov                 ecx, dword ptr [ebp - 0x130]

        $sequence_39 = { 894df8 894df4 894df0 85db }
            // n = 4, score = 100
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   85db                 | test                ebx, ebx

        $sequence_40 = { 7326 e9???????? 8a03 488d1510aa0000 ffc7 }
            // n = 5, score = 100
            //   7326                 | push                0
            //   e9????????           |                     
            //   8a03                 | push                edi
            //   488d1510aa0000       | push                4
            //   ffc7                 | mov                 dword ptr [edi], 0

        $sequence_41 = { 33db 895dd8 83fb40 0f8d42010000 8b3c9d606d4100 }
            // n = 5, score = 100
            //   33db                 | xor                 ebx, ebx
            //   895dd8               | mov                 dword ptr [ebp - 0x28], ebx
            //   83fb40               | cmp                 ebx, 0x40
            //   0f8d42010000         | jge                 0x148
            //   8b3c9d606d4100       | mov                 edi, dword ptr [ebx*4 + 0x416d60]

        $sequence_42 = { 8bcf e8???????? b84d5a0000 66390502deffff 7404 33db }
            // n = 6, score = 100
            //   8bcf                 | dec                 eax
            //   e8????????           |                     
            //   b84d5a0000           | lea                 edx, [0xbef5]
            //   66390502deffff       | dec                 eax
            //   7404                 | mov                 ecx, eax
            //   33db                 | test                al, al

        $sequence_43 = { 668b4c4310 66890c4590b22300 40 ebe8 33c0 }
            // n = 5, score = 100
            //   668b4c4310           | mov                 cx, word ptr [ebx + eax*2 + 0x10]
            //   66890c4590b22300     | mov                 word ptr [eax*2 + 0x23b290], cx
            //   40                   | inc                 eax
            //   ebe8                 | jmp                 0xffffffea
            //   33c0                 | xor                 eax, eax

        $sequence_44 = { 4c8d1c40 4c8d35159e0000 bd04000000 49c1e304 4d03cb }
            // n = 5, score = 100
            //   4c8d1c40             | push                0
            //   4c8d35159e0000       | push                0x104
            //   bd04000000           | push                0x104
            //   49c1e304             | mov                 edi, eax
            //   4d03cb               | push                0

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules