(Kaspersky) The regular usage of satellite-based Internet links by the Turla group represents an interesting aspect of their operation. The links are generally up for several months, but never for too long. It is unknown if this is due to operational security limitations self-imposed by the group or because of shutdown by other parties due to malicious behavior. The technical method used to implement these Internet circuits relies on hijacking downstream bandwidth from various ISPs and packet-spoofing. This is a method that is technically easy to implement, and provides a much higher degree of anonymity than possibly any other conventional method such as renting a VPS or hacking a legitimate server.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2017-08-09 by CSE Canada from CSE
2015-09-09 by Stefan Tanase from Kaspersky Labs
Tool: Satellite Turla
Names: Satellite Turla
Description: (Kaspersky) The regular usage of satellite-based Internet links by the Turla group represents an interesting aspect of their operation. The links are generally up for several months, but never for too long. It is unknown if this is due to operational security limitations self-imposed by the group or because of shutdown by other parties due to malicious behavior. The technical method used to implement these Internet circuits relies on hijacking downstream bandwidth from various ISPs and packet-spoofing. This is a method that is technically easy to implement, and provides a much higher degree of anonymity than possibly any other conventional method such as renting a VPS or hacking a legitimate server.
Category: Malware
Type: Backdoor, Tunneling
Information: https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.satellite_turla
Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:satellite
Last-card-change: 2021-04-24
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1583.006 ACQUIRE INFRASTRUCTURE : WEB SERVICES turla has created web accounts including dropbox and github for c2 and document exfiltration. T1584.003 COMPROMISE INFRASTRUCTURE : VIRTUAL PRIVATE SERVER turla has used the vps infrastructure of compromised iranian threat actors. T1584.006 COMPROMISE INFRASTRUCTURE : WEB SERVICES turla has frequently used compromised wordpress sites for c2 infrastructure. T1587.001 DEVELOP CAPABILITIES : MALWARE turla has developed its own unique malware for use in operations. T1588.001 OBTAIN CAPABILITIES : MALWARE turla has used malware obtained after compromising other threat actors, such as oilrig. T1588.002 OBTAIN CAPABILITIES : TOOL turla has obtained and customized publicly-available tools like mimikatz. | T1566.002 PHISHING : SPEARPHISHING LINK turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from adobe.com to download their malware and gain initial access. T1078.003 VALID ACCOUNTS : LOCAL ACCOUNTS turla has abused local accounts that have the same password across the victim’s network. | T1059.001 COMMAND AND SCRIPTING INTERPRETER : POWERSHELL turla has used powershell to execute commands/scripts, in some cases via a custom executable or code from empire's psinject. turla has also used powershell scripts to load and execute malware in memory. T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL turla rpc backdoors have used cmd.exe to execute commands. T1059.005 COMMAND AND SCRIPTING INTERPRETER : VISUAL BASIC turla has used vbs scripts throughout its operations. T1059.006 COMMAND AND SCRIPTING INTERPRETER : PYTHON turla has used ironpython scripts as part of the ironnetinjector toolchain to drop payloads. T1059.007 COMMAND AND SCRIPTING INTERPRETER : JAVASCRIPT turla has used various javascript-based backdoors. T1106 NATIVE API turla and its rpc backdoors have used apis calls for various tasks related to subverting amsi and accessing then executing commands through rpc and/or named pipes. T1204.001 USER EXECUTION : MALICIOUS LINK turla has used spearphishing via a link to get users to download and run their malware. | T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER a turla javascript backdoor added a local_update_check value under the registry key hklm\software\microsoft\windows\currentversion\run to establish persistence. additionally, a turla custom executable containing metasploit shellcode is saved to the startup folder to gain persistence. T1547.004 BOOT OR LOGON AUTOSTART EXECUTION : WINLOGON HELPER DLL turla established persistence by adding a shell value under the registry key hkcu\software\microsoft\windows nt\currentversion\winlogon. T1546.003 EVENT TRIGGERED EXECUTION : WINDOWS MANAGEMENT INSTRUMENTATION EVENT SUBSCRIPTION turla has used wmi event filters and consumers to establish persistence. T1546.013 EVENT TRIGGERED EXECUTION : POWERSHELL PROFILE turla has used powershell profiles to maintain persistence on an infected machine. T1078.003 VALID ACCOUNTS : LOCAL ACCOUNTS turla has abused local accounts that have the same password across the victim’s network. | T1134.002 ACCESS TOKEN MANIPULATION : CREATE PROCESS WITH TOKEN turla rpc backdoors can impersonate or steal process tokens before executing commands. T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER a turla javascript backdoor added a local_update_check value under the registry key hklm\software\microsoft\windows\currentversion\run to establish persistence. additionally, a turla custom executable containing metasploit shellcode is saved to the startup folder to gain persistence. T1547.004 BOOT OR LOGON AUTOSTART EXECUTION : WINLOGON HELPER DLL turla established persistence by adding a shell value under the registry key hkcu\software\microsoft\windows nt\currentversion\winlogon. T1546.003 EVENT TRIGGERED EXECUTION : WINDOWS MANAGEMENT INSTRUMENTATION EVENT SUBSCRIPTION turla has used wmi event filters and consumers to establish persistence. T1546.013 EVENT TRIGGERED EXECUTION : POWERSHELL PROFILE turla has used powershell profiles to maintain persistence on an infected machine. T1068 EXPLOITATION FOR PRIVILEGE ESCALATION turla has exploited vulnerabilities in the vboxdrv.sys driver to obtain kernel mode privileges. T1055 PROCESS INJECTION turla has also used powersploit's invoke-reflectivepeinjection.ps1 to reflectively load a powershell payload into a random process on the victim system. T1055.001 PROCESS INJECTION : DYNAMIC-LINK LIBRARY INJECTION turla has used metasploit to perform reflective dll injection in order to escalate privileges. T1078.003 VALID ACCOUNTS : LOCAL ACCOUNTS turla has abused local accounts that have the same password across the victim’s network. | T1134.002 ACCESS TOKEN MANIPULATION : CREATE PROCESS WITH TOKEN turla rpc backdoors can impersonate or steal process tokens before executing commands. T1140 DEOBFUSCATE/DECODE FILES OR INFORMATION turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a wmi filter or powershell profile, to decode encrypted powershell payloads. T1562.001 IMPAIR DEFENSES : DISABLE OR MODIFY TOOLS turla has used a amsi bypass, which patches the in-memory amsi.dll, in powershell scripts to bypass windows antimalware products. T1027.005 OBFUSCATED FILES OR INFORMATION : INDICATOR REMOVAL FROM TOOLS based on comparison of gazer versions, turla made an effort to obfuscate strings in the malware that could be used as iocs, including the mutex name and named pipe. T1027.010 OBFUSCATED FILES OR INFORMATION : COMMAND OBFUSCATION turla has used encryption (including salted 3des via powersploit's out-encryptedscript.ps1), random variable names, and base64 encoding to obfuscate powershell commands and payloads. T1027.011 OBFUSCATED FILES OR INFORMATION : FILELESS STORAGE turla has used the registry to store encrypted and encoded payloads. T1055 PROCESS INJECTION turla has also used powersploit's invoke-reflectivepeinjection.ps1 to reflectively load a powershell payload into a random process on the victim system. T1055.001 PROCESS INJECTION : DYNAMIC-LINK LIBRARY INJECTION turla has used metasploit to perform reflective dll injection in order to escalate privileges. T1553.006 SUBVERT TRUST CONTROLS : CODE SIGNING POLICY MODIFICATION turla has modified variables in kernel memory to turn off driver signature enforcement after exploiting vulnerabilities that obtained kernel mode privileges. T1078.003 VALID ACCOUNTS : LOCAL ACCOUNTS turla has abused local accounts that have the same password across the victim’s network. | T1110 BRUTE FORCE turla may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords. T1555.004 CREDENTIALS FROM PASSWORD STORES : WINDOWS CREDENTIAL MANAGER turla has gathered credentials from the windows credential manager tool. | T1087.001 ACCOUNT DISCOVERY : LOCAL ACCOUNT turla has used net user to enumerate local accounts on the system. T1087.002 ACCOUNT DISCOVERY : DOMAIN ACCOUNT turla has used net user /domain to enumerate domain accounts. T1083 FILE AND DIRECTORY DISCOVERY turla surveys a system upon check-in to discover files in specific locations on the hard disk %temp% directory, the current user's desktop, the program files directory, and recent. turla rpc backdoors have also searched for files matching the lph*.dll pattern. T1615 GROUP POLICY DISCOVERY turla surveys a system upon check-in to discover group policy details using the gpresult command. T1201 PASSWORD POLICY DISCOVERY turla has used net accounts and net accounts /domain to acquire password policy information. T1069.001 PERMISSION GROUPS DISCOVERY : LOCAL GROUPS turla has used net localgroup and net localgroup administrators to enumerate group information, including members of the local administrators group. T1069.002 PERMISSION GROUPS DISCOVERY : DOMAIN GROUPS turla has used net group "domain admins" /domain to identify domain administrators. T1057 PROCESS DISCOVERY turla surveys a system upon check-in to discover running processes using the tasklist /v command. turla rpc backdoors have also enumerated processes associated with specific open ports or named pipes. T1012 QUERY REGISTRY turla surveys a system upon check-in to discover information in the windows registry with the reg query command. turla has also retrieved powershell payloads hidden in registry keys as well as checking keys associated with null session named pipes . T1018 REMOTE SYSTEM DISCOVERY turla surveys a system upon check-in to discover remote systems on a local network using the net view and net view /domain commands. turla has also used net group "domain computers" /domain, net group "domain controllers" /domain, and net group "exchange servers" /domain to enumerate domain computers, including the organization's dc and exchange server. T1518.001 SOFTWARE DISCOVERY : SECURITY SOFTWARE DISCOVERY turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected. T1082 SYSTEM INFORMATION DISCOVERY turla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY turla surveys a system upon check-in to discover network configuration details using the arp -a, nbtstat -n, net config, ipconfig /all, and route commands, as well as nbtscan. turla rpc backdoors have also retrieved registered rpc interface information from process memory. T1016.001 SYSTEM NETWORK CONFIGURATION DISCOVERY : INTERNET CONNECTION DISCOVERY turla has used tracert to check internet connectivity. T1049 SYSTEM NETWORK CONNECTIONS DISCOVERY turla surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands. turla rpc backdoors have also enumerated the ipv4 tcp connection table via the gettcptable2 api call. T1007 SYSTEM SERVICE DISCOVERY turla surveys a system upon check-in to discover running services and associated processes using the tasklist /svc command. T1124 SYSTEM TIME DISCOVERY turla surveys a system upon check-in to discover the system time by using the net time command. | T1570 LATERAL TOOL TRANSFER turla rpc backdoors can be used to transfer files to/from victim machines on the local network. T1021.002 REMOTE SERVICES : SMB/WINDOWS ADMIN SHARES turla used net use commands to connect to lateral systems within a network. | T1560.001 ARCHIVE COLLECTED DATA : ARCHIVE VIA UTILITY turla has encrypted files stolen from connected usb drives into a rar file before exfiltration. T1213 DATA FROM INFORMATION REPOSITORIES turla has used a custom .net tool to collect documents from an organization's internal central database. | T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS turla has used http and https for c2 communications. T1071.003 APPLICATION LAYER PROTOCOL : MAIL PROTOCOLS turla has used multiple backdoors which communicate with a c2 server via email attachments. T1105 INGRESS TOOL TRANSFER turla has used shellcode to download meterpreter after compromising a victim. T1090.001 PROXY : INTERNAL PROXY turla has compromised internal network systems to act as a proxy to forward traffic to c2. T1102 WEB SERVICE turla has used legitimate web services including pastebin, dropbox, and github for c2 communications. T1102.002 WEB SERVICE : BIDIRECTIONAL COMMUNICATION a turla javascript backdoor has used google apps script as its c2 server. | T1567.002 EXFILTRATION OVER WEB SERVICE : EXFILTRATION TO CLOUD STORAGE turla has used webdav to upload stolen usb files to a cloud drive. turla has also exfiltrated stolen files to onedrive and 4shared. |