{ "Event": { "analysis": "2", "date": "2021-09-24", "extends_uuid": "", "info": "TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines", "publish_timestamp": "1632471296", "published": true, "threat_level_id": "1", "timestamp": "1632471288", "uuid": "d5ccd0b6-f554-4182-8ac3-c8a4d5789ba6", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#0071c3", "name": "osint:lifetime=\"perpetual\"" }, { "colour": "#0087e8", "name": "osint:certainty=\"50\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Turla - G0010\"" }, { "colour": "#12e200", "name": "misp-galaxy:threat-actor=\"Turla Group\"" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1632471034", "to_ids": true, "type": "sha256", "uuid": "327ed82a-9666-498f-8ecc-192fc7c06f12", "value": "030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01" } ], "Object": [ { "comment": "", "deleted": false, "description": "Metadata used to generate an executive level report", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "4", "timestamp": "1632471017", "uuid": "4639d0ff-7a62-41b3-a940-cdcb09f3fe35", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1632471017", "to_ids": false, "type": "link", "uuid": "65654f61-cd9f-416f-a840-debc025dc4da", "value": "https://blog.talosintelligence.com/2021/09/tinyturla.html" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1632471017", "to_ids": false, "type": "text", "uuid": "4368eb41-7e59-4a68-b66c-c9c7c51a11dc", "value": "Cisco Talos found a previously undiscovered backdoor from the Turla APT that we are seeing in the wild. This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware." }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "type", "timestamp": "1632471017", "to_ids": false, "type": "text", "uuid": "83b51ac8-9547-41f0-b3ac-5f6c4cfa2ebb", "value": "Blog post" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "5", "timestamp": "1632471060", "uuid": "eefe6bfb-d38a-4a21-bc00-ecbd6506cffd", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "context", "timestamp": "1632471060", "to_ids": false, "type": "text", "uuid": "d670480f-3907-4e8b-87cb-f3e905b41082", "value": "all" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1632471060", "to_ids": true, "type": "yara", "uuid": "150de82b-b716-475b-a8c3-bd093c32c9db", "value": "import \"pe\"\r\nrule TinyTurla {\r\nmeta:\r\nauthor = \"Cisco Talos\"\r\ndescription = \"Detects Tiny Turla backdoor DLL\"\r\nstrings:\r\n$a = \"Title:\" fullword wide\r\n$b = \"Hosts\" fullword wide\r\n$c = \"Security\" fullword wide\r\n$d = \"TimeLong\" fullword wide\r\n$e = \"TimeShort\" fullword wide\r\n$f = \"MachineGuid\" fullword wide\r\n$g = \"POST\" fullword wide\r\n$h = \"WinHttpSetOption\" fullword ascii\r\n$i = \"WinHttpQueryDataAvailable\" fullword ascii\r\n\r\ncondition:\r\npe.is_pe and\r\npe.characteristics & pe.DLL and\r\npe.exports(\"ServiceMain\") and\r\nall of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1632471288", "uuid": "96abab21-a8a7-4869-b680-89144e5625e7", "ObjectReference": [ { "comment": "", "object_uuid": "96abab21-a8a7-4869-b680-89144e5625e7", "referenced_uuid": "f06729c8-10e4-4d20-9605-1661be3ae2c7", "relationship_type": "analysed-with", "timestamp": "1632471126", "uuid": "ddab642d-65a9-4959-9171-68d8fcde64eb" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1632471288", "to_ids": true, "type": "md5", "uuid": "3b77b5ee-d61f-4058-b201-96bba8d4b1b0", "value": "028878c4b6ab475ed0be97eca6f92af9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1632471288", "to_ids": true, "type": "sha1", "uuid": "38d60352-93fb-4aa3-ac12-0d5c1f52bc7d", "value": "02c37ccdfccfe03560a4bf069f46e8ae3a5d2348" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1632471288", "to_ids": true, "type": "sha256", "uuid": "ca150bd0-5e16-496f-b43d-0b655cb96c37", "value": "030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "4", "timestamp": "1632471126", "uuid": "f06729c8-10e4-4d20-9605-1661be3ae2c7", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "last-submission", "timestamp": "1632471034", "to_ids": false, "type": "datetime", "uuid": "e8315fa6-f0c1-4e44-9bcc-c7a6d7aa8ebb", "value": "2021-09-24T06:19:11+00:00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "permalink", "timestamp": "1632471034", "to_ids": false, "type": "link", "uuid": "0643f79e-7e59-46ad-b98d-b00f28b73c5c", "value": "https://www.virustotal.com/gui/file/030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01/detection/f-030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01-1632464351" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1632471034", "to_ids": false, "type": "text", "uuid": "b6fb0bca-c924-4dfc-937b-30cfe83b1ceb", "value": "48/68" } ] } ] } }