Sea Turtle is a Turkish-origin APT known for cyber espionage operations since 2017, targeting governments, telecoms, and media across Europe and the Middle East. The article outlines their techniques—cPanel/SSH access, SnappyTCP backdoors, and C2 over HTTP—and discusses defensive measures to mitigate these threats. #SeaTurtle #SnappyTCP
Keypoints
- Sea Turtle (aka Teal Kurma, Marbled Dust, SILICON, Cosmic Wolf) is a Turkish-origin APT active since 2017, initially known for DNS hijacking.
- Targets include governments, terrorist groups, telecoms, IT providers, ISPs, media/entertainment organizations, NGOs across Europe, the Middle East, and North Africa.
- Core techniques involve traffic redirection and unauthorized access to infrastructure, with reverse shells enabling data collection at scale.
- Initial access commonly occurs via compromised cPanel accounts and SSH usage; Adminer was found in public web directories and linked to SnappyTCP.
- Backdoor communication uses SnappyTCP with C2 over forward.boord[.]info on port 443; socat-based C2 configuration is observed.
- Defensive indicators include credential harvesting (MiTM), encrypted communications over SSH, and log/history erasure to evade detection.
MITRE Techniques
- [T1588.001] Resource development – Sea Turtle used the SnappyTCP malware, the source of which is available on GitHub. “Sea Turtle used the SnappyTCP malware, the source of which is available on GitHub.”
- [T1133] External Remote Services – Sea Turtle compromised cPanel accounts and used SSH to gain access to the IT infrastructure. “Sea Turtle compromised cPanel accounts and used SSH to gain access to the IT infrastructure.”
- [T1078.004] Valid Accounts – Sea Turtle leveraged compromised cPanel accounts and SSH keys for access. “compromised cPanel accounts and used SSH to gain access to the IT infrastructure.”
- [T1059.004] Bash – Sea Turtle used the Bash Unix shell to execute malicious commands and the SnappyTCP malware. “the Bash Unix shell to execute malicious commands and the SnappyTCP malware.”
- [T1505.003] Persistence – Sea Turtle executed SnappyTCP using NoHup to stay active, and installed Adminer in the public web directory of a cPanel account. “NoHup, which keeps the malware running on a system after exiting the shell or terminal, and installed Adminer in the public web directory of a cPanel account.”
- [T1070.003] Indicator Removal on Host – Sea Turtle reset Bash and MySQL history and overwritten Linux system logs. “reset the command (bash) and MySQL history file and overwritten Linux system logs.”
- [T1114.001] Email Collection – Sea Turtle copied the email archive of a compromised cPanel account to a public web directory. “created a copy of the email archive of a compromised cPanel account in the public web directory of a website accessible from the Internet.”
- [T1071.001] Web Protocols – Command and Control channel to forward.boord[.]info on port 443 using TCP and HTTP. “establish a command and control channel to the domain name forward.boord[.]info on port 443 using TCP and HTTP protocols.”
- [T1095] Non-Application Layer Protocol – C2 environment configured in socat format. “the C&C environment is configured in “socat” format.”
- [T1567] Exfiltration – Exfiltrated email archive by downloading from the public site. “exfiltrated the email archive by downloading the file from the website.”
Indicators of Compromise
- [SHA-256] file hashes – aea947f06ac36c07ae37884abc5b6659d91d52aa99fd7d26bd0e233fd0fe7ad4, ae89540cdfb11b0c9ebda8cfdf8f5e27ba8b729c46abc395a0e1e8bb99b00c54, and 28 more hashes
- [SHA-1] file hashes – ddcc23f81362bb394e0ee66fda549a1523860b3b, da64b83c2998212bbf77862e17d3564a0745f222, and 2 more
- [MD5] file hashes – d036adb864e46ad88dd2c1dbca62137a, c7e99654250bf4e3286c3ea7547a62fe, and 8 more
- [IP] addresses – 185.158.248.8, 108.61.103.186
- [Domain] domains – eth0.secrsys.net, al-marsad.co
- [URL] web URLs – hxxp://108.61.103.186/sy.php, hxxp://lo0.systemctl.network/sy.php
Read more: https://cyberthint.io/sea-turtle-apt-group-analysis/