SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turla_silentmoon (Back to overview)

Turla SilentMoon

aka: GoldenSky, HyperStack

Actor(s): Turla Group


There is no description at this point.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-09-11Twitter (@Arkbird_SOLG)Arkbird
@online{arkbird:20200911:discovery:99adb88, author = {Arkbird}, title = {{Tweet on discovery of a sample}}, date = {2020-09-11}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1304187749373800455}, language = {English}, urldate = {2020-10-21} } Tweet on discovery of a sample
Turla SilentMoon
Yara Rules
[TLP:WHITE] win_turla_silentmoon_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_turla_silentmoon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 41 894df4 83f910 0f8c30ffffff 83be6802000003 7c23 }
            // n = 6, score = 300
            //   41                   | inc                 ecx
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   83f910               | cmp                 ecx, 0x10
            //   0f8c30ffffff         | jl                  0xffffff36
            //   83be6802000003       | cmp                 dword ptr [esi + 0x268], 3
            //   7c23                 | jl                  0x25

        $sequence_1 = { 6a08 50 43 ff15???????? 56 }
            // n = 5, score = 300
            //   6a08                 | push                8
            //   50                   | push                eax
            //   43                   | inc                 ebx
            //   ff15????????         |                     
            //   56                   | push                esi

        $sequence_2 = { 51 ffd3 eb06 ff15???????? 8b15???????? 56 6a00 }
            // n = 7, score = 300
            //   51                   | push                ecx
            //   ffd3                 | call                ebx
            //   eb06                 | jmp                 8
            //   ff15????????         |                     
            //   8b15????????         |                     
            //   56                   | push                esi
            //   6a00                 | push                0

        $sequence_3 = { ff04be 8d3cbe 0fb77c4b30 03f8 ff04be 8d3cbe 0fb77c4b32 }
            // n = 7, score = 300
            //   ff04be               | inc                 dword ptr [esi + edi*4]
            //   8d3cbe               | lea                 edi, [esi + edi*4]
            //   0fb77c4b30           | movzx               edi, word ptr [ebx + ecx*2 + 0x30]
            //   03f8                 | add                 edi, eax
            //   ff04be               | inc                 dword ptr [esi + edi*4]
            //   8d3cbe               | lea                 edi, [esi + edi*4]
            //   0fb77c4b32           | movzx               edi, word ptr [ebx + ecx*2 + 0x32]

        $sequence_4 = { e8???????? 83c444 6a03 c78424440100001c010000 c784244801000006000000 6a02 56 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   83c444               | add                 esp, 0x44
            //   6a03                 | push                3
            //   c78424440100001c010000     | mov    dword ptr [esp + 0x144], 0x11c
            //   c784244801000006000000     | mov    dword ptr [esp + 0x148], 6
            //   6a02                 | push                2
            //   56                   | push                esi

        $sequence_5 = { 8d4a01 8b55ec 894df8 3b8e74020000 0f8c15f4ffff 83be6802000003 }
            // n = 6, score = 300
            //   8d4a01               | lea                 ecx, [edx + 1]
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   3b8e74020000         | cmp                 ecx, dword ptr [esi + 0x274]
            //   0f8c15f4ffff         | jl                  0xfffff41b
            //   83be6802000003       | cmp                 dword ptr [esi + 0x268], 3

        $sequence_6 = { 83fe7b 7407 32c0 5e 8be5 5d c3 }
            // n = 7, score = 300
            //   83fe7b               | cmp                 esi, 0x7b
            //   7407                 | je                  9
            //   32c0                 | xor                 al, al
            //   5e                   | pop                 esi
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_7 = { 89148e 42 3bd0 7ce2 99 }
            // n = 5, score = 300
            //   89148e               | mov                 dword ptr [esi + ecx*4], edx
            //   42                   | inc                 edx
            //   3bd0                 | cmp                 edx, eax
            //   7ce2                 | jl                  0xffffffe4
            //   99                   | cdq                 

        $sequence_8 = { 8b5044 8b7024 880c32 015844 8a4838 }
            // n = 5, score = 300
            //   8b5044               | mov                 edx, dword ptr [eax + 0x44]
            //   8b7024               | mov                 esi, dword ptr [eax + 0x24]
            //   880c32               | mov                 byte ptr [edx + esi], cl
            //   015844               | add                 dword ptr [eax + 0x44], ebx
            //   8a4838               | mov                 cl, byte ptr [eax + 0x38]

        $sequence_9 = { 0f8f82fcffff 5f 5b 8be5 5d c3 8b0d???????? }
            // n = 7, score = 300
            //   0f8f82fcffff         | jg                  0xfffffc88
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b0d????????         |                     

    condition:
        7 of them and filesize < 204800
}
Download all Yara Rules