2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2021-09-24" ,
"extends_uuid" : "" ,
"info" : "TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines" ,
"publish_timestamp" : "1632471296" ,
"published" : true ,
"threat_level_id" : "1" ,
"timestamp" : "1632471288" ,
"uuid" : "d5ccd0b6-f554-4182-8ac3-c8a4d5789ba6" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0071c3" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0087e8" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#12e200" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:threat-actor=\"Turla Group\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1632471034" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "327ed82a-9666-498f-8ecc-192fc7c06f12" ,
"value" : "030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Metadata used to generate an executive level report" ,
"meta-category" : "misc" ,
"name" : "report" ,
"template_uuid" : "70a68471-df22-4e3f-aa1a-5a3be19f82df" ,
"template_version" : "4" ,
"timestamp" : "1632471017" ,
"uuid" : "4639d0ff-7a62-41b3-a940-cdcb09f3fe35" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1632471017" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "65654f61-cd9f-416f-a840-debc025dc4da" ,
"value" : "https://blog.talosintelligence.com/2021/09/tinyturla.html"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "summary" ,
"timestamp" : "1632471017" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "4368eb41-7e59-4a68-b66c-c9c7c51a11dc" ,
"value" : "Cisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware."
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "type" ,
"timestamp" : "1632471017" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "83b51ac8-9547-41f0-b3ac-5f6c4cfa2ebb" ,
"value" : "Blog post"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "5" ,
"timestamp" : "1632471060" ,
"uuid" : "eefe6bfb-d38a-4a21-bc00-ecbd6506cffd" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "context" ,
"timestamp" : "1632471060" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "d670480f-3907-4e8b-87cb-f3e905b41082" ,
"value" : "all"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1632471060" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "150de82b-b716-475b-a8c3-bd093c32c9db" ,
"value" : "import \"pe\"\r\nrule TinyTurla {\r\nmeta:\r\nauthor = \"Cisco Talos\"\r\ndescription = \"Detects Tiny Turla backdoor DLL\"\r\nstrings:\r\n$a = \"Title:\" fullword wide\r\n$b = \"Hosts\" fullword wide\r\n$c = \"Security\" fullword wide\r\n$d = \"TimeLong\" fullword wide\r\n$e = \"TimeShort\" fullword wide\r\n$f = \"MachineGuid\" fullword wide\r\n$g = \"POST\" fullword wide\r\n$h = \"WinHttpSetOption\" fullword ascii\r\n$i = \"WinHttpQueryDataAvailable\" fullword ascii\r\n\r\ncondition:\r\npe.is_pe and\r\npe.characteristics & pe.DLL and\r\npe.exports(\"ServiceMain\") and\r\nall of them\r\n}"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1632471288" ,
"uuid" : "96abab21-a8a7-4869-b680-89144e5625e7" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "96abab21-a8a7-4869-b680-89144e5625e7" ,
"referenced_uuid" : "f06729c8-10e4-4d20-9605-1661be3ae2c7" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1632471126" ,
"uuid" : "ddab642d-65a9-4959-9171-68d8fcde64eb"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1632471288" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "3b77b5ee-d61f-4058-b201-96bba8d4b1b0" ,
"value" : "028878c4b6ab475ed0be97eca6f92af9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1632471288" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "38d60352-93fb-4aa3-ac12-0d5c1f52bc7d" ,
"value" : "02c37ccdfccfe03560a4bf069f46e8ae3a5d2348"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1632471288" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "ca150bd0-5e16-496f-b43d-0b655cb96c37" ,
"value" : "030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "4" ,
"timestamp" : "1632471126" ,
"uuid" : "f06729c8-10e4-4d20-9605-1661be3ae2c7" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "last-submission" ,
"timestamp" : "1632471034" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "e8315fa6-f0c1-4e44-9bcc-c7a6d7aa8ebb" ,
"value" : "2021-09-24T06:19:11+00:00"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "permalink" ,
"timestamp" : "1632471034" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "0643f79e-7e59-46ad-b98d-b00f28b73c5c" ,
"value" : "https://www.virustotal.com/gui/file/030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01/detection/f-030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01-1632464351"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1632471034" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "b6fb0bca-c924-4dfc-937b-30cfe83b1ceb" ,
"value" : "48/68"
}
]
}
]
}
}