SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turla_silentmoon (Back to overview)

Turla SilentMoon

aka: BigBoss, Cacao, GoldenSky, HyperStack

Actor(s): Turla


There is no description at this point.

References
2022-06-12cocomelonc
@online{cocomelonc:20220612:malware:e988236, author = {cocomelonc}, title = {{Malware development: persistence - part 7. Winlogon. Simple C++ example.}}, date = {2022-06-12}, url = {https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 7. Winlogon. Simple C++ example.
BazarBackdoor Gazer TurlaRPC Turla SilentMoon
2021-11-05Emanuele De Lucia on SecurityEmanuele De Lucia
@online{lucia:20211105:bigboss:bcea512, author = {Emanuele De Lucia}, title = {{The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors}}, date = {2021-11-05}, organization = {Emanuele De Lucia on Security}, url = {https://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/}, language = {English}, urldate = {2021-11-08} } The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors
Turla SilentMoon
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-09-11Twitter (@Arkbird_SOLG)Arkbird
@online{arkbird:20200911:discovery:99adb88, author = {Arkbird}, title = {{Tweet on discovery of a sample}}, date = {2020-09-11}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1304187749373800455}, language = {English}, urldate = {2020-10-21} } Tweet on discovery of a sample
Turla SilentMoon
Yara Rules
[TLP:WHITE] win_turla_silentmoon_auto (20230407 | Detects win.turla_silentmoon.)
rule win_turla_silentmoon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.turla_silentmoon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7c10 c7460401000000 c745fc04000000 eb07 c745fc03000000 8b87a8130000 }
            // n = 6, score = 300
            //   7c10                 | jl                  0x12
            //   c7460401000000       | mov                 dword ptr [esi + 4], 1
            //   c745fc04000000       | mov                 dword ptr [ebp - 4], 4
            //   eb07                 | jmp                 9
            //   c745fc03000000       | mov                 dword ptr [ebp - 4], 3
            //   8b87a8130000         | mov                 eax, dword ptr [edi + 0x13a8]

        $sequence_1 = { 8955fc e8???????? 8b4df4 83c404 b801000000 d3c0 c745f0ffffffff }
            // n = 7, score = 300
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   83c404               | add                 esp, 4
            //   b801000000           | mov                 eax, 1
            //   d3c0                 | rol                 eax, cl
            //   c745f0ffffffff       | mov                 dword ptr [ebp - 0x10], 0xffffffff

        $sequence_2 = { 6a00 51 ff15???????? 85db 7410 8b15???????? }
            // n = 6, score = 300
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   85db                 | test                ebx, ebx
            //   7410                 | je                  0x12
            //   8b15????????         |                     

        $sequence_3 = { 47 03c9 897dd0 3bfa 7ec7 8b45e4 }
            // n = 6, score = 300
            //   47                   | inc                 edi
            //   03c9                 | add                 ecx, ecx
            //   897dd0               | mov                 dword ptr [ebp - 0x30], edi
            //   3bfa                 | cmp                 edi, edx
            //   7ec7                 | jle                 0xffffffc9
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_4 = { 56 6a00 51 ffd7 8b15???????? 53 }
            // n = 6, score = 300
            //   56                   | push                esi
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   ffd7                 | call                edi
            //   8b15????????         |                     
            //   53                   | push                ebx

        $sequence_5 = { 8d857cfcffff 50 6a00 6a00 ff15???????? 8b15???????? 52 }
            // n = 7, score = 300
            //   8d857cfcffff         | lea                 eax, [ebp - 0x384]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8b15????????         |                     
            //   52                   | push                edx

        $sequence_6 = { 8d9b00000000 8b4e4c 8b562c 8945cc 8a865b020000 88040a ff464c }
            // n = 7, score = 300
            //   8d9b00000000         | lea                 ebx, [ebx]
            //   8b4e4c               | mov                 ecx, dword ptr [esi + 0x4c]
            //   8b562c               | mov                 edx, dword ptr [esi + 0x2c]
            //   8945cc               | mov                 dword ptr [ebp - 0x34], eax
            //   8a865b020000         | mov                 al, byte ptr [esi + 0x25b]
            //   88040a               | mov                 byte ptr [edx + ecx], al
            //   ff464c               | inc                 dword ptr [esi + 0x4c]

        $sequence_7 = { 881408 ff464c c1a65802000008 83865c020000f8 83be5c02000008 8b55cc 7dd1 }
            // n = 7, score = 300
            //   881408               | mov                 byte ptr [eax + ecx], dl
            //   ff464c               | inc                 dword ptr [esi + 0x4c]
            //   c1a65802000008       | shl                 dword ptr [esi + 0x258], 8
            //   83865c020000f8       | add                 dword ptr [esi + 0x25c], -8
            //   83be5c02000008       | cmp                 dword ptr [esi + 0x25c], 8
            //   8b55cc               | mov                 edx, dword ptr [ebp - 0x34]
            //   7dd1                 | jge                 0xffffffd3

        $sequence_8 = { ff15???????? a1???????? 83c404 57 6a08 50 }
            // n = 6, score = 300
            //   ff15????????         |                     
            //   a1????????           |                     
            //   83c404               | add                 esp, 4
            //   57                   | push                edi
            //   6a08                 | push                8
            //   50                   | push                eax

        $sequence_9 = { 09be58020000 8b7df8 898e5c020000 0fb77c7b04 897df4 8b3cba 897dd4 }
            // n = 7, score = 300
            //   09be58020000         | or                  dword ptr [esi + 0x258], edi
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]
            //   898e5c020000         | mov                 dword ptr [esi + 0x25c], ecx
            //   0fb77c7b04           | movzx               edi, word ptr [ebx + edi*2 + 4]
            //   897df4               | mov                 dword ptr [ebp - 0xc], edi
            //   8b3cba               | mov                 edi, dword ptr [edx + edi*4]
            //   897dd4               | mov                 dword ptr [ebp - 0x2c], edi

    condition:
        7 of them and filesize < 204800
}
Download all Yara Rules