SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turla_silentmoon (Back to overview)

Turla SilentMoon

aka: BigBoss, Cacao, GoldenSky, HyperStack

Actor(s): Turla Group


There is no description at this point.

References
2022-06-12cocomelonc
@online{cocomelonc:20220612:malware:e988236, author = {cocomelonc}, title = {{Malware development: persistence - part 7. Winlogon. Simple C++ example.}}, date = {2022-06-12}, url = {https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 7. Winlogon. Simple C++ example.
BazarBackdoor Gazer TurlaRPC Turla SilentMoon
2021-11-05Emanuele De Lucia on SecurityEmanuele De Lucia
@online{lucia:20211105:bigboss:bcea512, author = {Emanuele De Lucia}, title = {{The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors}}, date = {2021-11-05}, organization = {Emanuele De Lucia on Security}, url = {https://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/}, language = {English}, urldate = {2021-11-08} } The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors
Turla SilentMoon
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-09-11Twitter (@Arkbird_SOLG)Arkbird
@online{arkbird:20200911:discovery:99adb88, author = {Arkbird}, title = {{Tweet on discovery of a sample}}, date = {2020-09-11}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1304187749373800455}, language = {English}, urldate = {2020-10-21} } Tweet on discovery of a sample
Turla SilentMoon
Yara Rules
[TLP:WHITE] win_turla_silentmoon_auto (20230125 | Detects win.turla_silentmoon.)
rule win_turla_silentmoon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.turla_silentmoon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b801000000 2bd0 8d9b00000000 8b5df8 f6c201 7410 }
            // n = 6, score = 300
            //   b801000000           | mov                 eax, 1
            //   2bd0                 | sub                 edx, eax
            //   8d9b00000000         | lea                 ebx, [ebx]
            //   8b5df8               | mov                 ebx, dword ptr [ebp - 8]
            //   f6c201               | test                dl, 1
            //   7410                 | je                  0x12

        $sequence_1 = { 89865c020000 8b45dc 09be58020000 0fb608 42 }
            // n = 5, score = 300
            //   89865c020000         | mov                 dword ptr [esi + 0x25c], eax
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   09be58020000         | or                  dword ptr [esi + 0x258], edi
            //   0fb608               | movzx               ecx, byte ptr [eax]
            //   42                   | inc                 edx

        $sequence_2 = { 8944242c ff15???????? 8b44241c 8b0d???????? 50 6a08 51 }
            // n = 7, score = 300
            //   8944242c             | mov                 dword ptr [esp + 0x2c], eax
            //   ff15????????         |                     
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   8b0d????????         |                     
            //   50                   | push                eax
            //   6a08                 | push                8
            //   51                   | push                ecx

        $sequence_3 = { eb03 8b75f0 85f6 740c }
            // n = 4, score = 300
            //   eb03                 | jmp                 5
            //   8b75f0               | mov                 esi, dword ptr [ebp - 0x10]
            //   85f6                 | test                esi, esi
            //   740c                 | je                  0xe

        $sequence_4 = { 8bf0 6a0a 8d4de8 51 }
            // n = 4, score = 300
            //   8bf0                 | mov                 esi, eax
            //   6a0a                 | push                0xa
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   51                   | push                ecx

        $sequence_5 = { 8d5002 668b08 83c002 6685c9 75f5 8b0d???????? 56 }
            // n = 7, score = 300
            //   8d5002               | lea                 edx, [eax + 2]
            //   668b08               | mov                 cx, word ptr [eax]
            //   83c002               | add                 eax, 2
            //   6685c9               | test                cx, cx
            //   75f5                 | jne                 0xfffffff7
            //   8b0d????????         |                     
            //   56                   | push                esi

        $sequence_6 = { c7464c00000000 83be6802000002 7c1b 52 50 a1???????? 51 }
            // n = 7, score = 300
            //   c7464c00000000       | mov                 dword ptr [esi + 0x4c], 0
            //   83be6802000002       | cmp                 dword ptr [esi + 0x268], 2
            //   7c1b                 | jl                  0x1d
            //   52                   | push                edx
            //   50                   | push                eax
            //   a1????????           |                     
            //   51                   | push                ecx

        $sequence_7 = { ff04be 8d3cbe 0fb77c4b02 03f8 ff04be 8d3cbe }
            // n = 6, score = 300
            //   ff04be               | inc                 dword ptr [esi + edi*4]
            //   8d3cbe               | lea                 edi, [esi + edi*4]
            //   0fb77c4b02           | movzx               edi, word ptr [ebx + ecx*2 + 2]
            //   03f8                 | add                 edi, eax
            //   ff04be               | inc                 dword ptr [esi + edi*4]
            //   8d3cbe               | lea                 edi, [esi + edi*4]

        $sequence_8 = { e8???????? 89442434 03c3 39442448 0f82f4060000 a1???????? 68e8030000 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   89442434             | mov                 dword ptr [esp + 0x34], eax
            //   03c3                 | add                 eax, ebx
            //   39442448             | cmp                 dword ptr [esp + 0x48], eax
            //   0f82f4060000         | jb                  0x6fa
            //   a1????????           |                     
            //   68e8030000           | push                0x3e8

        $sequence_9 = { 8b7df8 8bbcbdd0f3ffff 8d4900 89b48de0fbffff 8bc8 d1f8 8bb485e0fbffff }
            // n = 7, score = 300
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]
            //   8bbcbdd0f3ffff       | mov                 edi, dword ptr [ebp + edi*4 - 0xc30]
            //   8d4900               | lea                 ecx, [ecx]
            //   89b48de0fbffff       | mov                 dword ptr [ebp + ecx*4 - 0x420], esi
            //   8bc8                 | mov                 ecx, eax
            //   d1f8                 | sar                 eax, 1
            //   8bb485e0fbffff       | mov                 esi, dword ptr [ebp + eax*4 - 0x420]

    condition:
        7 of them and filesize < 204800
}
Download all Yara Rules