SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turla_silentmoon (Back to overview)

Turla SilentMoon

aka: BigBoss, Cacao, GoldenSky, HyperStack

Actor(s): Turla

There is no description at this point.

References
2022-06-12cocomelonc
@online{cocomelonc:20220612:malware:e988236, author = {cocomelonc}, title = {{Malware development: persistence - part 7. Winlogon. Simple C++ example.}}, date = {2022-06-12}, url = {https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 7. Winlogon. Simple C++ example.
BazarBackdoor Gazer TurlaRPC Turla SilentMoon
2021-11-05Emanuele De Lucia on SecurityEmanuele De Lucia
@online{lucia:20211105:bigboss:bcea512, author = {Emanuele De Lucia}, title = {{The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors}}, date = {2021-11-05}, organization = {Emanuele De Lucia on Security}, url = {https://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/}, language = {English}, urldate = {2021-11-08} } The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors
Turla SilentMoon
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2020-09-11Twitter (@Arkbird_SOLG)Arkbird
@online{arkbird:20200911:discovery:99adb88, author = {Arkbird}, title = {{Tweet on discovery of a sample}}, date = {2020-09-11}, organization = {Twitter (@Arkbird_SOLG)}, url = {https://twitter.com/Arkbird_SOLG/status/1304187749373800455}, language = {English}, urldate = {2020-10-21} } Tweet on discovery of a sample
Turla SilentMoon
Yara Rules
[TLP:WHITE] win_turla_silentmoon_auto (20230715 | Detects win.turla_silentmoon.)
rule win_turla_silentmoon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.turla_silentmoon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4dd8 57 6a0f 51 e8???????? 83c40c }
            // n = 6, score = 300
            //   8b4dd8               | mov                 ecx, dword ptr [ebp - 0x28]
            //   57                   | push                edi
            //   6a0f                 | push                0xf
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_1 = { 8b4508 50 ff15???????? 8a45ff 5f 5e 5b }
            // n = 7, score = 300
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8a45ff               | mov                 al, byte ptr [ebp - 1]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_2 = { 83c408 8b572c 8b4728 56 52 ffd0 }
            // n = 6, score = 300
            //   83c408               | add                 esp, 8
            //   8b572c               | mov                 edx, dword ptr [edi + 0x2c]
            //   8b4728               | mov                 eax, dword ptr [edi + 0x28]
            //   56                   | push                esi
            //   52                   | push                edx
            //   ffd0                 | call                eax

        $sequence_3 = { 85c0 7410 53 e8???????? 83c404 32c0 }
            // n = 6, score = 300
            //   85c0                 | test                eax, eax
            //   7410                 | je                  0x12
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   32c0                 | xor                 al, al

        $sequence_4 = { 898e5c020000 0fb77c7b4e 897df4 8b3cba 897dd4 8b7df4 }
            // n = 6, score = 300
            //   898e5c020000         | mov                 dword ptr [esi + 0x25c], ecx
            //   0fb77c7b4e           | movzx               edi, word ptr [ebx + edi*2 + 0x4e]
            //   897df4               | mov                 dword ptr [ebp - 0xc], edi
            //   8b3cba               | mov                 edi, dword ptr [edx + edi*4]
            //   897dd4               | mov                 dword ptr [ebp - 0x2c], edi
            //   8b7df4               | mov                 edi, dword ptr [ebp - 0xc]

        $sequence_5 = { 2bd1 8945f8 894dec 8975f0 83fa0a 7d13 8b5d08 }
            // n = 7, score = 300
            //   2bd1                 | sub                 edx, ecx
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   8975f0               | mov                 dword ptr [ebp - 0x10], esi
            //   83fa0a               | cmp                 edx, 0xa
            //   7d13                 | jge                 0x15
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]

        $sequence_6 = { 75f9 2bc2 a803 7409 c1e802 8d444003 eb06 }
            // n = 7, score = 300
            //   75f9                 | jne                 0xfffffffb
            //   2bc2                 | sub                 eax, edx
            //   a803                 | test                al, 3
            //   7409                 | je                  0xb
            //   c1e802               | shr                 eax, 2
            //   8d444003             | lea                 eax, [eax + eax*2 + 3]
            //   eb06                 | jmp                 8

        $sequence_7 = { ff15???????? 8945f8 85c0 7419 a1???????? }
            // n = 5, score = 300
            //   ff15????????         |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   85c0                 | test                eax, eax
            //   7419                 | je                  0x1b
            //   a1????????           |                     

        $sequence_8 = { 8a54380b 8a5c3e0b 3ada 0f856affffff 8b5508 83c00c 83c60c }
            // n = 7, score = 300
            //   8a54380b             | mov                 dl, byte ptr [eax + edi + 0xb]
            //   8a5c3e0b             | mov                 bl, byte ptr [esi + edi + 0xb]
            //   3ada                 | cmp                 bl, dl
            //   0f856affffff         | jne                 0xffffff70
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   83c00c               | add                 eax, 0xc
            //   83c60c               | add                 esi, 0xc

        $sequence_9 = { 09be58020000 8b7df8 898e5c020000 0fb77c7b04 897df4 8b3cba 897dd4 }
            // n = 7, score = 300
            //   09be58020000         | or                  dword ptr [esi + 0x258], edi
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]
            //   898e5c020000         | mov                 dword ptr [esi + 0x25c], ecx
            //   0fb77c7b04           | movzx               edi, word ptr [ebx + edi*2 + 4]
            //   897df4               | mov                 dword ptr [ebp - 0xc], edi
            //   8b3cba               | mov                 edi, dword ptr [edx + edi*4]
            //   897dd4               | mov                 dword ptr [ebp - 0x2c], edi

    condition:
        7 of them and filesize < 204800
}
Download all Yara Rules