SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turla_silentmoon (Back to overview)

Turla SilentMoon

aka: BigBoss, Cacao, GoldenSky, HyperStack

Actor(s): Turla

VTCollection    

There is no description at this point.

References
2022-06-12cocomelonc
Malware development: persistence - part 7. Winlogon. Simple C++ example.
BazarBackdoor Gazer TurlaRPC Turla SilentMoon
2021-11-05Emanuele De Lucia on SecurityEmanuele De Lucia
The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors
Turla SilentMoon
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2020-10-28AccentureCyber Defense
Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-09-11Twitter (@Arkbird_SOLG)Arkbird
Tweet on discovery of a sample
Turla SilentMoon
Yara Rules
[TLP:WHITE] win_turla_silentmoon_auto (20230808 | Detects win.turla_silentmoon.)
rule win_turla_silentmoon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.turla_silentmoon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 88442453 a1???????? 89442430 a0???????? 53 56 88442444 }
            // n = 7, score = 300
            //   88442453             | mov                 byte ptr [esp + 0x53], al
            //   a1????????           |                     
            //   89442430             | mov                 dword ptr [esp + 0x30], eax
            //   a0????????           |                     
            //   53                   | push                ebx
            //   56                   | push                esi
            //   88442444             | mov                 byte ptr [esp + 0x44], al

        $sequence_1 = { 8b4508 85c0 0f84f9010000 8938 5e 5b 8be5 }
            // n = 7, score = 300
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   85c0                 | test                eax, eax
            //   0f84f9010000         | je                  0x1ff
            //   8938                 | mov                 dword ptr [eax], edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp

        $sequence_2 = { 51 6800001000 53 56 ff15???????? 83f801 }
            // n = 6, score = 300
            //   51                   | push                ecx
            //   6800001000           | push                0x100000
            //   53                   | push                ebx
            //   56                   | push                esi
            //   ff15????????         |                     
            //   83f801               | cmp                 eax, 1

        $sequence_3 = { b950000000 e8???????? 83c404 6a08 b990000000 e8???????? }
            // n = 6, score = 300
            //   b950000000           | mov                 ecx, 0x50
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   6a08                 | push                8
            //   b990000000           | mov                 ecx, 0x90
            //   e8????????           |                     

        $sequence_4 = { 8b94bd28feffff 8d441001 8b55f0 8955d4 8b94bd28feffff 8955d8 8b55f0 }
            // n = 7, score = 300
            //   8b94bd28feffff       | mov                 edx, dword ptr [ebp + edi*4 - 0x1d8]
            //   8d441001             | lea                 eax, [eax + edx + 1]
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   8955d4               | mov                 dword ptr [ebp - 0x2c], edx
            //   8b94bd28feffff       | mov                 edx, dword ptr [ebp + edi*4 - 0x1d8]
            //   8955d8               | mov                 dword ptr [ebp - 0x28], edx
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]

        $sequence_5 = { 3bd1 7c9a 0fb608 3bd1 7e66 83be5c02000008 7c2f }
            // n = 7, score = 300
            //   3bd1                 | cmp                 edx, ecx
            //   7c9a                 | jl                  0xffffff9c
            //   0fb608               | movzx               ecx, byte ptr [eax]
            //   3bd1                 | cmp                 edx, ecx
            //   7e66                 | jle                 0x68
            //   83be5c02000008       | cmp                 dword ptr [esi + 0x25c], 8
            //   7c2f                 | jl                  0x31

        $sequence_6 = { 48 83f803 0f878a000000 ff248588344000 8bc3 e8???????? }
            // n = 6, score = 300
            //   48                   | dec                 eax
            //   83f803               | cmp                 eax, 3
            //   0f878a000000         | ja                  0x90
            //   ff248588344000       | jmp                 dword ptr [eax*4 + 0x403488]
            //   8bc3                 | mov                 eax, ebx
            //   e8????????           |                     

        $sequence_7 = { 85ff 0f8f82fcffff 5f 5b }
            // n = 4, score = 300
            //   85ff                 | test                edi, edi
            //   0f8f82fcffff         | jg                  0xfffffc88
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx

        $sequence_8 = { 7e0a 8b4df0 8b7dd8 33c0 f3ab 8145d808040000 }
            // n = 6, score = 300
            //   7e0a                 | jle                 0xc
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   8b7dd8               | mov                 edi, dword ptr [ebp - 0x28]
            //   33c0                 | xor                 eax, eax
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8145d808040000       | add                 dword ptr [ebp - 0x28], 0x408

        $sequence_9 = { 741f 8b4508 85c0 7406 c700faffffff c787c4130000faffffff 5e }
            // n = 7, score = 300
            //   741f                 | je                  0x21
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   85c0                 | test                eax, eax
            //   7406                 | je                  8
            //   c700faffffff         | mov                 dword ptr [eax], 0xfffffffa
            //   c787c4130000faffffff     | mov    dword ptr [edi + 0x13c4], 0xfffffffa
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 204800
}
Download all Yara Rules