SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turla_silentmoon (Back to overview)

Turla SilentMoon

aka: BigBoss, Cacao, GoldenSky, HyperStack

Actor(s): Turla Group


There is no description at this point.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-09-11Twitter (@Arkbird_SOLG)Arkbird
@online{arkbird:20200911:discovery:99adb88, author = {Arkbird}, title = {{Tweet on discovery of a sample}}, date = {2020-09-11}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1304187749373800455}, language = {English}, urldate = {2020-10-21} } Tweet on discovery of a sample
Turla SilentMoon
Yara Rules
[TLP:WHITE] win_turla_silentmoon_auto (20210616 | Detects win.turla_silentmoon.)
rule win_turla_silentmoon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.turla_silentmoon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 85f6 5e 7529 6a00 8d45fc 50 }
            // n = 7, score = 300
            //   ff15????????         |                     
            //   85f6                 | test                esi, esi
            //   5e                   | pop                 esi
            //   7529                 | jne                 0x2b
            //   6a00                 | push                0
            //   8d45fc               | lea                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax

        $sequence_1 = { ff15???????? 83c408 33c0 33d2 85ff 7e66 8d8decf7ffff }
            // n = 7, score = 300
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8
            //   33c0                 | xor                 eax, eax
            //   33d2                 | xor                 edx, edx
            //   85ff                 | test                edi, edi
            //   7e66                 | jle                 0x68
            //   8d8decf7ffff         | lea                 ecx, dword ptr [ebp - 0x814]

        $sequence_2 = { 8b5df8 83c418 83fb03 7c3c c745f801000000 85ff 7403 }
            // n = 7, score = 300
            //   8b5df8               | mov                 ebx, dword ptr [ebp - 8]
            //   83c418               | add                 esp, 0x18
            //   83fb03               | cmp                 ebx, 3
            //   7c3c                 | jl                  0x3e
            //   c745f801000000       | mov                 dword ptr [ebp - 8], 1
            //   85ff                 | test                edi, edi
            //   7403                 | je                  5

        $sequence_3 = { 68???????? 68bc0b0000 83c040 68???????? 50 ff15???????? }
            // n = 6, score = 300
            //   68????????           |                     
            //   68bc0b0000           | push                0xbbc
            //   83c040               | add                 eax, 0x40
            //   68????????           |                     
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_4 = { 3bf1 7ed0 84db 0f847f000000 }
            // n = 4, score = 300
            //   3bf1                 | cmp                 esi, ecx
            //   7ed0                 | jle                 0xffffffd2
            //   84db                 | test                bl, bl
            //   0f847f000000         | je                  0x85

        $sequence_5 = { 83be5c02000008 8b55d4 7dd1 8b865c020000 b91b000000 2bc8 }
            // n = 6, score = 300
            //   83be5c02000008       | cmp                 dword ptr [esi + 0x25c], 8
            //   8b55d4               | mov                 edx, dword ptr [ebp - 0x2c]
            //   7dd1                 | jge                 0xffffffd3
            //   8b865c020000         | mov                 eax, dword ptr [esi + 0x25c]
            //   b91b000000           | mov                 ecx, 0x1b
            //   2bc8                 | sub                 ecx, eax

        $sequence_6 = { 0fb6143a 2b55ec 751a 8b55fc 8b3c96 893c8e 8b7de4 }
            // n = 7, score = 300
            //   0fb6143a             | movzx               edx, byte ptr [edx + edi]
            //   2b55ec               | sub                 edx, dword ptr [ebp - 0x14]
            //   751a                 | jne                 0x1c
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b3c96               | mov                 edi, dword ptr [esi + edx*4]
            //   893c8e               | mov                 dword ptr [esi + ecx*4], edi
            //   8b7de4               | mov                 edi, dword ptr [ebp - 0x1c]

        $sequence_7 = { d3e2 099658020000 03f8 89be5c020000 e9???????? 897df4 3b7de8 }
            // n = 7, score = 300
            //   d3e2                 | shl                 edx, cl
            //   099658020000         | or                  dword ptr [esi + 0x258], edx
            //   03f8                 | add                 edi, eax
            //   89be5c020000         | mov                 dword ptr [esi + 0x25c], edi
            //   e9????????           |                     
            //   897df4               | mov                 dword ptr [ebp - 0xc], edi
            //   3b7de8               | cmp                 edi, dword ptr [ebp - 0x18]

        $sequence_8 = { ff464c c1a65802000008 83865c020000f8 83be5c02000008 7dd7 8b865c020000 b91f000000 }
            // n = 7, score = 300
            //   ff464c               | inc                 dword ptr [esi + 0x4c]
            //   c1a65802000008       | shl                 dword ptr [esi + 0x258], 8
            //   83865c020000f8       | add                 dword ptr [esi + 0x25c], -8
            //   83be5c02000008       | cmp                 dword ptr [esi + 0x25c], 8
            //   7dd7                 | jge                 0xffffffd9
            //   8b865c020000         | mov                 eax, dword ptr [esi + 0x25c]
            //   b91f000000           | mov                 ecx, 0x1f

        $sequence_9 = { 85148b 75f3 8b7d10 8d48ff 894df4 3bcf 0f8d0a010000 }
            // n = 7, score = 300
            //   85148b               | test                dword ptr [ebx + ecx*4], edx
            //   75f3                 | jne                 0xfffffff5
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   8d48ff               | lea                 ecx, dword ptr [eax - 1]
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   3bcf                 | cmp                 ecx, edi
            //   0f8d0a010000         | jge                 0x110

    condition:
        7 of them and filesize < 204800
}
Download all Yara Rules