SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turla_silentmoon (Back to overview)

Turla SilentMoon

aka: BigBoss, Cacao, GoldenSky, HyperStack

Actor(s): Turla Group


There is no description at this point.

References
2021-11-05Emanuele De Lucia on SecurityEmanuele De Lucia
@online{lucia:20211105:bigboss:bcea512, author = {Emanuele De Lucia}, title = {{The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors}}, date = {2021-11-05}, organization = {Emanuele De Lucia on Security}, url = {https://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/}, language = {English}, urldate = {2021-11-08} } The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors
Turla SilentMoon
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-09-11Twitter (@Arkbird_SOLG)Arkbird
@online{arkbird:20200911:discovery:99adb88, author = {Arkbird}, title = {{Tweet on discovery of a sample}}, date = {2020-09-11}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1304187749373800455}, language = {English}, urldate = {2020-10-21} } Tweet on discovery of a sample
Turla SilentMoon
Yara Rules
[TLP:WHITE] win_turla_silentmoon_auto (20220808 | Detects win.turla_silentmoon.)
rule win_turla_silentmoon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.turla_silentmoon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 52 ffd3 8b45fc 50 ff15???????? }
            // n = 6, score = 300
            //   6a00                 | push                0
            //   52                   | push                edx
            //   ffd3                 | call                ebx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_1 = { 75f5 2bc1 d1f8 8bf8 a1???????? 8d5701 }
            // n = 6, score = 300
            //   75f5                 | jne                 0xfffffff7
            //   2bc1                 | sub                 eax, ecx
            //   d1f8                 | sar                 eax, 1
            //   8bf8                 | mov                 edi, eax
            //   a1????????           |                     
            //   8d5701               | lea                 edx, [edi + 1]

        $sequence_2 = { 83c104 83c204 895dfc 85db 7fe1 8b4de0 8b55ec }
            // n = 7, score = 300
            //   83c104               | add                 ecx, 4
            //   83c204               | add                 edx, 4
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   85db                 | test                ebx, ebx
            //   7fe1                 | jg                  0xffffffe3
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]

        $sequence_3 = { 7c33 8d642400 8b4e4c 8b462c 8955d4 8a965b020000 881408 }
            // n = 7, score = 300
            //   7c33                 | jl                  0x35
            //   8d642400             | lea                 esp, [esp]
            //   8b4e4c               | mov                 ecx, dword ptr [esi + 0x4c]
            //   8b462c               | mov                 eax, dword ptr [esi + 0x2c]
            //   8955d4               | mov                 dword ptr [ebp - 0x2c], edx
            //   8a965b020000         | mov                 dl, byte ptr [esi + 0x25b]
            //   881408               | mov                 byte ptr [eax + ecx], dl

        $sequence_4 = { 7d66 83be5c02000008 7c2f 8b4e4c 8b462c 8955e8 }
            // n = 6, score = 300
            //   7d66                 | jge                 0x68
            //   83be5c02000008       | cmp                 dword ptr [esi + 0x25c], 8
            //   7c2f                 | jl                  0x31
            //   8b4e4c               | mov                 ecx, dword ptr [esi + 0x4c]
            //   8b462c               | mov                 eax, dword ptr [esi + 0x2c]
            //   8955e8               | mov                 dword ptr [ebp - 0x18], edx

        $sequence_5 = { 8b55ec 33c9 894de0 894dd4 894df8 398e74020000 0f8eeb0b0000 }
            // n = 7, score = 300
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   33c9                 | xor                 ecx, ecx
            //   894de0               | mov                 dword ptr [ebp - 0x20], ecx
            //   894dd4               | mov                 dword ptr [ebp - 0x2c], ecx
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   398e74020000         | cmp                 dword ptr [esi + 0x274], ecx
            //   0f8eeb0b0000         | jle                 0xbf1

        $sequence_6 = { 3bf2 7402 8916 8997c4130000 5e 5b }
            // n = 6, score = 300
            //   3bf2                 | cmp                 esi, edx
            //   7402                 | je                  4
            //   8916                 | mov                 dword ptr [esi], edx
            //   8997c4130000         | mov                 dword ptr [edi + 0x13c4], edx
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_7 = { 8d55fc 52 8d45e8 50 ff15???????? 83c40c 85c0 }
            // n = 7, score = 300
            //   8d55fc               | lea                 edx, [ebp - 4]
            //   52                   | push                edx
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax

        $sequence_8 = { 7547 8d4c2444 51 e8???????? 83c404 3c01 }
            // n = 6, score = 300
            //   7547                 | jne                 0x49
            //   8d4c2444             | lea                 ecx, [esp + 0x44]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   3c01                 | cmp                 al, 1

        $sequence_9 = { 8b1488 8b7df4 3b3c93 760b 895488f0 83c104 3bce }
            // n = 7, score = 300
            //   8b1488               | mov                 edx, dword ptr [eax + ecx*4]
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]
            //   3b3c93               | cmp                 edi, dword ptr [ebx + edx*4]
            //   760b                 | jbe                 0xd
            //   895488f0             | mov                 dword ptr [eax + ecx*4 - 0x10], edx
            //   83c104               | add                 ecx, 4
            //   3bce                 | cmp                 ecx, esi

    condition:
        7 of them and filesize < 204800
}
Download all Yara Rules