Tomiris called, they want their Turla malware back

MITRE Techniques

• [T1566.001] Phishing – Spear-phishing emails with malicious content attached (password-protected archives, malicious documents, weaponized LNKs) used to deliver Tomiris implants. Quote: ‘spear-phishing emails with malicious content attached (password-protected archives, malicious documents, weaponized LNKs)’.
• [T1583] Acquire Infrastructure – Domains – DNS hijacking used to deliver implants and establish C2 (via Telegram). Quote: ‘open to experimentation – for instance with delivery methods (DNS hijacking) or command and control (C2) channels (Telegram).’
• [T1190] Exploit Public-Facing Application – ProxyLogon exploitation of vulnerabilities to gain access. Quote: ‘exploitation of vulnerabilities (specifically ProxyLogon)’.
• [T1189] Drive-by Compromise – Suspected drive-by downloads and other methods used to deploy implants. Quote: ‘suspected drive-by downloads and other “creative” methods (see details of the investigation described below).’
• [T1041] Exfiltration Over C2 Channel – Files uploaded to C2 in ZIP archives. Quote: ‘uploads them to the C2 in ZIP archives.’
• [T1082] System Information Discovery – Backdoor gathers system info, current user, and IP. Quote: ‘The backdoor starts by gathering information on the victim machine, such as the system information, current user and public IP address.’
• [T1059.003] Windows Command Shell – JLORAT and related components process commands via cmd|[command]. Quote: ‘cmd|[command] Executes the specified command, and returns the result in the cmd key of the JSON response.’
• [T1547.001] Boot or Logon Autostart Execution – Persistence via copying under AppData and a RUN key entry. Quote: ‘persistence (copying itself under %AppData%/service/ and creating a RUN key entry)’.
• [T1071.001] Web Protocols – C2 channel over Telegram. Quote: ‘Telegram as a C2 channel.’