SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turla_silentmoon (Back to overview)

Turla SilentMoon

aka: BigBoss, Cacao, GoldenSky, HyperStack

Actor(s): Turla Group


There is no description at this point.

References
2021-11-05Emanuele De Lucia on SecurityEmanuele De Lucia
@online{lucia:20211105:bigboss:bcea512, author = {Emanuele De Lucia}, title = {{The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors}}, date = {2021-11-05}, organization = {Emanuele De Lucia on Security}, url = {https://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/}, language = {English}, urldate = {2021-11-08} } The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors
Turla SilentMoon
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-09-11Twitter (@Arkbird_SOLG)Arkbird
@online{arkbird:20200911:discovery:99adb88, author = {Arkbird}, title = {{Tweet on discovery of a sample}}, date = {2020-09-11}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1304187749373800455}, language = {English}, urldate = {2020-10-21} } Tweet on discovery of a sample
Turla SilentMoon
Yara Rules
[TLP:WHITE] win_turla_silentmoon_auto (20220411 | Detects win.turla_silentmoon.)
rule win_turla_silentmoon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.turla_silentmoon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8547feffff 8b5508 83c008 83c608 3bc2 7202 2bc2 }
            // n = 7, score = 300
            //   0f8547feffff         | jne                 0xfffffe4d
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   83c008               | add                 eax, 8
            //   83c608               | add                 esi, 8
            //   3bc2                 | cmp                 eax, edx
            //   7202                 | jb                  4
            //   2bc2                 | sub                 eax, edx

        $sequence_1 = { 85c0 7420 50 a1???????? 6a00 50 }
            // n = 6, score = 300
            //   85c0                 | test                eax, eax
            //   7420                 | je                  0x22
            //   50                   | push                eax
            //   a1????????           |                     
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_2 = { 85c0 7539 6a08 6a01 68???????? 68???????? 68???????? }
            // n = 7, score = 300
            //   85c0                 | test                eax, eax
            //   7539                 | jne                 0x3b
            //   6a08                 | push                8
            //   6a01                 | push                1
            //   68????????           |                     
            //   68????????           |                     
            //   68????????           |                     

        $sequence_3 = { 8b55fc 8b12 8b09 ff4dec 8955e8 }
            // n = 5, score = 300
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   ff4dec               | dec                 dword ptr [ebp - 0x14]
            //   8955e8               | mov                 dword ptr [ebp - 0x18], edx

        $sequence_4 = { 3bcf 7414 85c0 0f8521010000 8b4514 48 3bf8 }
            // n = 7, score = 300
            //   3bcf                 | cmp                 ecx, edi
            //   7414                 | je                  0x16
            //   85c0                 | test                eax, eax
            //   0f8521010000         | jne                 0x127
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   48                   | dec                 eax
            //   3bf8                 | cmp                 edi, eax

        $sequence_5 = { 8d9598feffff 52 6800020000 6a00 ff15???????? 8bc7 c6043e00 }
            // n = 7, score = 300
            //   8d9598feffff         | lea                 edx, dword ptr [ebp - 0x168]
            //   52                   | push                edx
            //   6800020000           | push                0x200
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8bc7                 | mov                 eax, edi
            //   c6043e00             | mov                 byte ptr [esi + edi], 0

        $sequence_6 = { 85db 7e2f 8b55ec 8bf1 2bf3 8d1497 8d34b7 }
            // n = 7, score = 300
            //   85db                 | test                ebx, ebx
            //   7e2f                 | jle                 0x31
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   8bf1                 | mov                 esi, ecx
            //   2bf3                 | sub                 esi, ebx
            //   8d1497               | lea                 edx, dword ptr [edi + edx*4]
            //   8d34b7               | lea                 esi, dword ptr [edi + esi*4]

        $sequence_7 = { 8917 8b7df4 03f8 893c96 0fb678fe 8b55fc 66c1ea08 }
            // n = 7, score = 300
            //   8917                 | mov                 dword ptr [edi], edx
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   03f8                 | add                 edi, eax
            //   893c96               | mov                 dword ptr [esi + edx*4], edi
            //   0fb678fe             | movzx               edi, byte ptr [eax - 2]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   66c1ea08             | shr                 dx, 8

        $sequence_8 = { 0f84e30a0000 e9???????? 3cc3 0f8557090000 8b4d08 6a00 8d54241c }
            // n = 7, score = 300
            //   0f84e30a0000         | je                  0xae9
            //   e9????????           |                     
            //   3cc3                 | cmp                 al, 0xc3
            //   0f8557090000         | jne                 0x95d
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   8d54241c             | lea                 edx, dword ptr [esp + 0x1c]

        $sequence_9 = { 3bf0 0f8ec1feffff 8b4dfc 8b7d08 8bd6 }
            // n = 5, score = 300
            //   3bf0                 | cmp                 esi, eax
            //   0f8ec1feffff         | jle                 0xfffffec7
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8bd6                 | mov                 edx, esi

    condition:
        7 of them and filesize < 204800
}
Download all Yara Rules