SYMBOLCOMMON_NAMEaka. SYNONYMS
win.skipper (Back to overview)

Skipper

aka: Kotel

Actor(s): Turla Group


There is no description at this point.

References
2020-03-12ESET ResearchMatthieu Faou
@online{faou:20200312:tracking:913d16e, author = {Matthieu Faou}, title = {{Tracking Turla: New backdoor delivered via Armenian watering holes}}, date = {2020-03-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/}, language = {English}, urldate = {2020-03-13} } Tracking Turla: New backdoor delivered via Armenian watering holes
LightNeuron Mosquito NetFlash Skipper
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020SecureworksSecureWorks
@online{secureworks:2020:iron:de2007f, author = {SecureWorks}, title = {{IRON HUNTER}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-hunter}, language = {English}, urldate = {2020-05-23} } IRON HUNTER
Agent.BTZ Cobra Carbon System LightNeuron Mosquito Nautilus Neuron Skipper Uroburos Turla Group
2019-05-19TelsyWebmaster
@online{webmaster:20190519:following:d15ba1c, author = {Webmaster}, title = {{Following the Turla’s Skipper over the ocean of cyber operations}}, date = {2019-05-19}, organization = {Telsy}, url = {https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/}, language = {English}, urldate = {2020-01-08} } Following the Turla’s Skipper over the ocean of cyber operations
Skipper
2018-10-04Kaspersky LabsGReAT
@online{great:20181004:shedding:5f22310, author = {GReAT}, title = {{Shedding Skin – Turla’s Fresh Faces}}, date = {2018-10-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/shedding-skin-turlas-fresh-faces/88069/}, language = {English}, urldate = {2020-02-27} } Shedding Skin – Turla’s Fresh Faces
KopiLuwak Cobra Carbon System Gazer Mosquito Skipper
2017-06-06ESET ResearchJean-Ian Boutin
@online{boutin:20170606:turlas:f9b4935, author = {Jean-Ian Boutin}, title = {{Turla’s watering hole campaign: An updated Firefox extension abusing Instagram}}, date = {2017-06-06}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/}, language = {English}, urldate = {2019-11-14} } Turla’s watering hole campaign: An updated Firefox extension abusing Instagram
HTML5 Encoding Skipper
2016-06-30BitdefenderBitdefender
@techreport{bitdefender:20160630:pacifier:cbcb081, author = {Bitdefender}, title = {{Pacifier APT}}, date = {2016-06-30}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf}, language = {English}, urldate = {2020-01-09} } Pacifier APT
Skipper
2015BitdefenderCristian Istrate, Andrei Ardelean, Claudiu Cobliș, Marius Tivadar
@techreport{istrate:2015:new:254e212, author = {Cristian Istrate and Andrei Ardelean and Claudiu Cobliș and Marius Tivadar}, title = {{New Pacifier APT Components Point to Russian-Linked Turla Group}}, date = {2015}, institution = {Bitdefender}, url = {https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf}, language = {English}, urldate = {2020-01-08} } New Pacifier APT Components Point to Russian-Linked Turla Group
Skipper
Yara Rules
[TLP:WHITE] win_skipper_auto (20210616 | Detects win.skipper.)
rule win_skipper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.skipper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6a03 68???????? 68???????? 6a50 }
            // n = 5, score = 600
            //   6a00                 | push                0
            //   6a03                 | push                3
            //   68????????           |                     
            //   68????????           |                     
            //   6a50                 | push                0x50

        $sequence_1 = { 59 5d c3 55 8bec 33c0 50 }
            // n = 7, score = 500
            //   59                   | pop                 ecx
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   33c0                 | xor                 eax, eax
            //   50                   | push                eax

        $sequence_2 = { ff15???????? 6a00 6a00 6a00 6a00 50 }
            // n = 6, score = 500
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_3 = { 6804010000 e8???????? 6804010000 8bf8 6a00 57 e8???????? }
            // n = 7, score = 500
            //   6804010000           | push                0x104
            //   e8????????           |                     
            //   6804010000           | push                0x104
            //   8bf8                 | mov                 edi, eax
            //   6a00                 | push                0
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_4 = { 03c8 0fb601 8802 8819 0fb60a 0fb6c3 03c8 }
            // n = 7, score = 400
            //   03c8                 | add                 ecx, eax
            //   0fb601               | movzx               eax, byte ptr [ecx]
            //   8802                 | mov                 byte ptr [edx], al
            //   8819                 | mov                 byte ptr [ecx], bl
            //   0fb60a               | movzx               ecx, byte ptr [edx]
            //   0fb6c3               | movzx               eax, bl
            //   03c8                 | add                 ecx, eax

        $sequence_5 = { 53 8b5d08 56 8b750c 57 53 6a00 }
            // n = 7, score = 400
            //   53                   | push                ebx
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   57                   | push                edi
            //   53                   | push                ebx
            //   6a00                 | push                0

        $sequence_6 = { e8???????? 57 6a1b 68???????? b9???????? }
            // n = 5, score = 400
            //   e8????????           |                     
            //   57                   | push                edi
            //   6a1b                 | push                0x1b
            //   68????????           |                     
            //   b9????????           |                     

        $sequence_7 = { e8???????? 57 e8???????? 83c428 8d4601 90 8a0e }
            // n = 7, score = 400
            //   e8????????           |                     
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c428               | add                 esp, 0x28
            //   8d4601               | lea                 eax, dword ptr [esi + 1]
            //   90                   | nop                 
            //   8a0e                 | mov                 cl, byte ptr [esi]

        $sequence_8 = { 83c404 6a00 6a64 52 50 }
            // n = 5, score = 300
            //   83c404               | mov                 byte ptr [ecx], 0
            //   6a00                 | sub                 esp, 0x18
            //   6a64                 | mov                 ecx, esp
            //   52                   | mov                 byte ptr [ebp - 4], 3
            //   50                   | mov                 dword ptr [ebp - 0x14], esp

        $sequence_9 = { 53 e8???????? 6804010000 e8???????? }
            // n = 4, score = 300
            //   53                   | push                0x50
            //   e8????????           |                     
            //   6804010000           | push                3
            //   e8????????           |                     

        $sequence_10 = { 6800308000 6a00 6a00 68???????? }
            // n = 4, score = 300
            //   6800308000           | push                0
            //   6a00                 | push                0
            //   6a00                 | push                3
            //   68????????           |                     

        $sequence_11 = { 408832 4181f900010000 7c9a 488bdd 85ed }
            // n = 5, score = 200
            //   408832               | add                 edx, edx
            //   4181f900010000       | inc                 ecx
            //   7c9a                 | and                 edx, 0x800000ff
            //   488bdd               | jge                 0x16
            //   85ed                 | inc                 ecx

        $sequence_12 = { 8b85e0feffff 99 f77d0c 8b4508 0fb61410 03ca 81e1ff000080 }
            // n = 7, score = 200
            //   8b85e0feffff         | mov                 edx, dword ptr [ebp - 0x11c]
            //   99                   | push                edx
            //   f77d0c               | mov                 dword ptr [ebp - 0x128], eax
            //   8b4508               | push                0
            //   0fb61410             | push                0x104
            //   03ca                 | lea                 eax, dword ptr [ebp - 0x110]
            //   81e1ff000080         | push                eax

        $sequence_13 = { 4c03c0 410fb6c2 450fb608 4803d0 }
            // n = 4, score = 200
            //   4c03c0               | inc                 ecx
            //   410fb6c2             | add                 edx, ecx
            //   450fb608             | movzx               edx, byte ptr [esp + eax]
            //   4803d0               | inc                 esp

        $sequence_14 = { 3b5514 0f8dcf000000 8b45f8 83c001 25ff000080 }
            // n = 5, score = 200
            //   3b5514               | lea                 ecx, dword ptr [ecx + 0x23a6bc]
            //   0f8dcf000000         | pop                 edx
            //   8b45f8               | mov                 si, word ptr [ecx]
            //   83c001               | sar                 eax, 5
            //   25ff000080           | and                 esi, 0x1f

        $sequence_15 = { e8???????? 4c8d9c2410010000 498b5b10 498b6b18 }
            // n = 4, score = 200
            //   e8????????           |                     
            //   4c8d9c2410010000     | dec                 eax
            //   498b5b10             | add                 edx, eax
            //   498b6b18             | movzx               eax, byte ptr [edx]

        $sequence_16 = { c1e81f 03d0 418bc1 8d1492 }
            // n = 4, score = 200
            //   c1e81f               | lea                 edx, dword ptr [esp]
            //   03d0                 | inc                 ecx
            //   418bc1               | mov                 eax, ecx
            //   8d1492               | lea                 edx, dword ptr [edx + edx*4]

        $sequence_17 = { 33c9 4963e9 498bf8 488d1424 }
            // n = 4, score = 200
            //   33c9                 | inc                 esp
            //   4963e9               | add                 eax, esi
            //   498bf8               | inc                 ecx
            //   488d1424             | and                 eax, 0x800000ff

        $sequence_18 = { 0fb61404 4403d2 4181e2ff000080 7d0d 41ffca 4181ca00ffffff 41ffc2 }
            // n = 7, score = 200
            //   0fb61404             | inc                 esp
            //   4403d2               | add                 eax, eax
            //   4181e2ff000080       | shr                 eax, 0x1f
            //   7d0d                 | add                 edx, eax
            //   41ffca               | inc                 ecx
            //   4181ca00ffffff       | mov                 eax, ecx
            //   41ffc2               | lea                 edx, dword ptr [edx + edx*4]

        $sequence_19 = { 2bc2 4863d0 420fb60432 4403c0 4403c6 4181e0ff000080 7d0d }
            // n = 7, score = 200
            //   2bc2                 | sub                 eax, edx
            //   4863d0               | dec                 eax
            //   420fb60432           | arpl                ax, dx
            //   4403c0               | inc                 edx
            //   4403c6               | movzx               eax, byte ptr [edx + esi]
            //   4181e0ff000080       | inc                 esp
            //   7d0d                 | add                 eax, eax

        $sequence_20 = { 8885eefeffff 8b4d10 038ddcfeffff 0fbe11 }
            // n = 4, score = 200
            //   8885eefeffff         | mov                 cl, byte ptr [eax + ebx + 0x11d]
            //   8b4d10               | mov                 byte ptr [eax + 0x23a5b0], cl
            //   038ddcfeffff         | inc                 eax
            //   0fbe11               | jmp                 0xffffffef

        $sequence_21 = { 42 8955fc 0fb645f8 8a8c05f0feffff }
            // n = 4, score = 200
            //   42                   | push                0
            //   8955fc               | push                3
            //   0fb645f8             | push                0x50
            //   8a8c05f0feffff       | push                3

        $sequence_22 = { 888415f0feffff 0fb64df8 0fb6940df0feffff 0fb645fc }
            // n = 4, score = 200
            //   888415f0feffff       | push                0
            //   0fb64df8             | push                0x64
            //   0fb6940df0feffff     | add                 esp, 4
            //   0fb645fc             | push                0

        $sequence_23 = { 81ec24010000 a1???????? 33c5 8945f4 c745f800000000 c745fc00000000 c785e4feffff00000000 }
            // n = 7, score = 200
            //   81ec24010000         | xor                 eax, ebp
            //   a1????????           |                     
            //   33c5                 | mov                 dword ptr [ebp - 0xc], eax
            //   8945f4               | push                0
            //   c745f800000000       | push                0
            //   c745fc00000000       | push                3
            //   c785e4feffff00000000     | push    0x50

        $sequence_24 = { 8a8c05f0feffff 888deffeffff 0fb655fc 0fb645f8 8a8c15f0feffff 888c05f0feffff 0fb655fc }
            // n = 7, score = 200
            //   8a8c05f0feffff       | mov                 ecx, dword ptr [ebp - 0x128]
            //   888deffeffff         | push                esi
            //   0fb655fc             | push                edi
            //   0fb645f8             | xor                 edi, edi
            //   8a8c15f0feffff       | lea                 esi, dword ptr [edi + 0x23a9d0]
            //   888c05f0feffff       | push                dword ptr [esi]
            //   0fb655fc             | lea                 eax, dword ptr [ebx + 0x10]

        $sequence_25 = { 4803d0 0fb602 418800 44880a 410fb610 4103d1 }
            // n = 6, score = 200
            //   4803d0               | add                 edx, edx
            //   0fb602               | sub                 eax, edx
            //   418800               | dec                 eax
            //   44880a               | arpl                ax, dx
            //   410fb610             | inc                 edx
            //   4103d1               | movzx               eax, byte ptr [edx + esi]

        $sequence_26 = { 8b85e0feffff 8a8c15f0feffff 888c05f0feffff 0fb695e8feffff 8a85effeffff 888415f0feffff }
            // n = 6, score = 200
            //   8b85e0feffff         | add                 edi, 0x18
            //   8a8c15f0feffff       | call                dword ptr [ebp - 0x124]
            //   888c05f0feffff       | mov                 dword ptr [ebp - 0x114], eax
            //   0fb695e8feffff       | push                0x8000
            //   8a85effeffff         | push                0x104
            //   888415f0feffff       | jge                 0x12

        $sequence_27 = { c60100 e8???????? 83ec18 8bcc c645fc03 8965ec 6aff }
            // n = 7, score = 100
            //   c60100               | pop                 ebp
            //   e8????????           |                     
            //   83ec18               | ret                 
            //   8bcc                 | push                ebp
            //   c645fc03             | mov                 ebp, esp
            //   8965ec               | xor                 eax, eax
            //   6aff                 | push                eax

        $sequence_28 = { ff15???????? 85c0 75bc 53 50 68ffff1f00 ffd6 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | push                0x50
            //   75bc                 | push                0
            //   53                   | push                0
            //   50                   | push                0
            //   68ffff1f00           | push                0
            //   ffd6                 | pop                 ecx

        $sequence_29 = { 8d4310 8d89bca62300 5a 668b31 }
            // n = 4, score = 100
            //   8d4310               | push                0
            //   8d89bca62300         | push                0x803000
            //   5a                   | push                0
            //   668b31               | push                0

        $sequence_30 = { e8???????? 59 59 8b7508 8d34f570a02300 391e }
            // n = 6, score = 100
            //   e8????????           |                     
            //   59                   | push                edi
            //   59                   | push                0x104
            //   8b7508               | push                0x104
            //   8d34f570a02300       | mov                 edi, eax
            //   391e                 | push                0

        $sequence_31 = { 8b95e4feffff 52 ff15???????? 8985d8feffff }
            // n = 4, score = 100
            //   8b95e4feffff         | push                0
            //   52                   | push                0
            //   ff15????????         |                     
            //   8985d8feffff         | push                0

        $sequence_32 = { 751e 8d04f570a02300 8938 68a00f0000 ff30 83c718 e8???????? }
            // n = 7, score = 100
            //   751e                 | push                0
            //   8d04f570a02300       | push                0
            //   8938                 | push                0
            //   68a00f0000           | push                0
            //   ff30                 | push                eax
            //   83c718               | push                0x104
            //   e8????????           |                     

        $sequence_33 = { 7d10 8a8c181d010000 8888b0a52300 40 ebe6 }
            // n = 5, score = 100
            //   7d10                 | push                0x104
            //   8a8c181d010000       | push                0x104
            //   8888b0a52300         | mov                 edi, eax
            //   40                   | push                0
            //   ebe6                 | push                eax

        $sequence_34 = { 4c8d3528ba0000 488b0d???????? eb7b 4c8d3510ba0000 488b0d???????? eb6b e8???????? }
            // n = 7, score = 100
            //   4c8d3528ba0000       | inc                 edx
            //   488b0d????????       |                     
            //   eb7b                 | dec                 esp
            //   4c8d3510ba0000       | lea                 ebx, dword ptr [esp + 0x110]
            //   488b0d????????       |                     
            //   eb6b                 | dec                 ecx
            //   e8????????           |                     

        $sequence_35 = { 56 57 33ff 8db7d0a92300 ff36 e8???????? }
            // n = 6, score = 100
            //   56                   | push                0x104
            //   57                   | push                0x104
            //   33ff                 | mov                 edi, eax
            //   8db7d0a92300         | push                0
            //   ff36                 | push                edi
            //   e8????????           |                     

        $sequence_36 = { 488d3d94e80000 41b804010000 33c9 488bd7 }
            // n = 4, score = 100
            //   488d3d94e80000       | inc                 eax
            //   41b804010000         | mov                 byte ptr [edx], dh
            //   33c9                 | inc                 ecx
            //   488bd7               | cmp                 ecx, 0x100

        $sequence_37 = { ff95dcfeffff 8985ecfeffff 6800800000 6804010000 }
            // n = 4, score = 100
            //   ff95dcfeffff         | push                0x104
            //   8985ecfeffff         | mov                 edi, eax
            //   6800800000           | push                0
            //   6804010000           | push                edi

        $sequence_38 = { 8938 e8???????? 488d1d2baa0000 4885c0 }
            // n = 4, score = 100
            //   8938                 | add                 edx, eax
            //   e8????????           |                     
            //   488d1d2baa0000       | inc                 ecx
            //   4885c0               | mov                 eax, ecx

        $sequence_39 = { 7516 488d0590a50000 488b4c2430 483bc8 7405 }
            // n = 5, score = 100
            //   7516                 | mov                 ebx, dword ptr [ebx + 0x10]
            //   488d0590a50000       | dec                 ecx
            //   488b4c2430           | mov                 ebp, dword ptr [ebx + 0x18]
            //   483bc8               | mov                 eax, edx
            //   7405                 | shr                 eax, 0x1f

        $sequence_40 = { c3 4053 4883ec20 488bd9 e8???????? 488d054fae0000 488903 }
            // n = 7, score = 100
            //   c3                   | lea                 edx, dword ptr [edx + edx*4]
            //   4053                 | add                 edx, edx
            //   4883ec20             | dec                 esp
            //   488bd9               | add                 eax, eax
            //   e8????????           |                     
            //   488d054fae0000       | inc                 ecx
            //   488903               | movzx               eax, dl

        $sequence_41 = { 6a00 6804010000 8d85f0feffff 50 8b8dd8feffff }
            // n = 5, score = 100
            //   6a00                 | push                0
            //   6804010000           | push                eax
            //   8d85f0feffff         | push                0x104
            //   50                   | push                0x104
            //   8b8dd8feffff         | mov                 edi, eax

        $sequence_42 = { 4803db 4c8d357ca40000 49833cde00 7407 }
            // n = 4, score = 100
            //   4803db               | jl                  0xffffffa3
            //   4c8d357ca40000       | dec                 eax
            //   49833cde00           | mov                 ebx, ebp
            //   7407                 | test                ebp, ebp

        $sequence_43 = { 48895f10 488d1517da0000 480f45d0 881f }
            // n = 4, score = 100
            //   48895f10             | inc                 ebp
            //   488d1517da0000       | movzx               ecx, byte ptr [eax]
            //   480f45d0             | dec                 eax
            //   881f                 | add                 edx, eax

        $sequence_44 = { 488b8eb8000000 4c8d352ca40000 f0ff09 7511 488b8eb8000000 493bce 7405 }
            // n = 7, score = 100
            //   488b8eb8000000       | inc                 ecx
            //   4c8d352ca40000       | or                  edx, 0xffffff00
            //   f0ff09               | inc                 ecx
            //   7511                 | inc                 edx
            //   488b8eb8000000       | movzx               eax, cl
            //   493bce               | dec                 esp
            //   7405                 | lea                 eax, dword ptr [esp]

    condition:
        7 of them and filesize < 262144
}
Download all Yara Rules