Threat Research

Threat Group Assessment: Turla (aka Pensive Ursa)

Securonix

Keypoints

  • Turla (Pensive Ursa) is a Russian-based threat group active since 2004 and connected to the FSB, targeting diverse sectors worldwide.
  • The article highlights 10 malware families in Pensive Ursa’s arsenal: Capibar, Kazuar, Snake, Kopiluwak, QUIETCANARY/Tunnus, Crutch, ComRAT, Carbon, HyperStack, and TinyTurla.

MITRE Techniques

  • [T1566.001] Phishing – Capibar delivered via email with malicious macros. “distributed it via email as documents with malicious macros.”
  • [T1053.005] Scheduled Task – Capibar persists via a scheduled task that downloads and launches the payload in memory. “persists via a scheduled task that downloads and launches the payload in memory.”
  • [T1059.001] PowerShell – ComRAT uses PowerShell implants; “PowerShell implants, such as PowerStallion.”
  • [T1055] Process Injection – Kazuar shows DLLs injected into explorer.exe. “Kazuar injected into explorer.exe.”
  • [T1068] Exploitation for Privilege Escalation – Snake uses a vulnerable VM driver for privilege escalation. “a vulnerable VM driver that is used for privilege escalation.”
  • [T1574.001] DLL Search Order Hijacking – Crutch persistence via DLL hijacking. “persistence is achieved using DLL hijacking.”
  • [T1021] Lateral Movement – Remote Services – HyperStack uses named pipes over RPC to control machines on a local network. “uses named pipes to communicate over RPC with other machines in a compromised environment.”
  • [T1102] Web Service – Carbon uses Pastebin and similar services for C2 communication. “through the use of legitimate web services providers like Pastebin.”
  • [T1105] Ingress Tool Transfer – Kopiluwak delivery and dropper workflows (Kopiluwak delivered via Topinambour dropper, and JavaScript payloads). “delivered as a multilayered JavaScript payload by various types of droppers.”
  • [T1082] System Information Discovery – Kopiluwak reconnaissance commands (systeminfo, tasklist, net, ipconfig, dir). “reconnaissance commands such as systeminfo, tasklist, net, ipconfig, and dir.”
  • [T1543.003] Create/Modify System Process: Windows Service – TinyTurla installed as a service via a batch script. “installed the backdoor via a batch script as a service called Windows Time Service.”
  • [T1112] Modify Registry – TinyTurla writes C2 data to the registry. “reads these values to communicate with its C2” (via registry write/context).
  • [T1027] Obfuscated/Compressed Files and Information – QUIETCANARY uses RC4 encryption to protect C2 communications. “RC4 encryption to protect its C2 communication.”
  • [T1036] Masquerading – TinyTurla masquerades as w64time.dll in system32. “masquerades as a DLL called w64time.dll, under the system32 folder.”
  • [T1021.004] Remote Services (additional) – Crutch/Dropbox exfil and other backdoors feature cross-device persistence and remote access patterns.
  • [T1041] Exfiltration – Exfiltration to cloud storage via Dropbox in Crutch. “exfiltrate the data to a Dropbox account controlled by Pensive Ursa operators.”

Indicators of Compromise

  • [Hash] Capibar – ba2c8df04bcba5c3cfd343a59d8b59b76779e6c27eb27b7ac73ded97e08f0f39, 64e8744b39e15b76311733014327311acd77330f8a135132f020eac78199ac8a (Capibar)
  • [Domain] Capibar – mail.numina[.]md/owa/scripts/logon.aspx, mail.aet.in[.]ua/outlook/api/logoff.aspx, mail.arlingtonhousing[.]us/outlook/api/logoff.aspx, mail.kzp[.]bg/outlook/api/logoff.aspx, mail.lechateaudelatour[.]fr/MICROSOFT.EXCHANGE.MAILBOXREPLICATIONSERVICE.PROXYSERVICE/RPCWITCHERT/SYNC, mail.lebsack[.]de/MICROSOFT.EXCHANGE.MAILBOXREPLICATIONSERVICE.PROXYSERVICE/RPCWITCHERT/SYNC
  • [Hash] Kazuar – 8490daab736aa638b500b27c962a8250bbb8615ae1c68ef77494875ac9d2ada2, b51105c56d1bf8f98b7e924aa5caded8322d037745a128781fa0bc23841d1e70, Bf6f30673cf771d52d589865675a293dc5c3668a956d0c2fc0d9403424d429b2, cd4c2e85213c96f79ddda564242efec3b970eded8c59f1f6f4d9a420eb8f1858
  • [Domain] Kazuar – Gaismustudija[.]lv, Hcdh-tunisie[.]org, www.gallen[.]fi, www.bombheros[.]com/wp-content/languages/index[.]php, www.simplifiedhomesales[.]com/wp-includes/images/index.php, mtsoft.hol[.]es/wp-content/gallery/, www.polishpod101[.]com/forum/language/en/sign/, www.pierreagencement[.]fr/wp-content/languages/index.php, sansaispa[.]com/wp-includes/images/gallery/, octoberoctopus[.]co[.]za/wp-includes/sitemaps/web/
  • [Hash] Snake – fc68026b83392aa227e9adf9c71289cb51ba03427f6de67a73ae872e19ef6ff9, 1950d2e706fbc6263d376c0c4f16bd5acfd543248ee072657ba3dd62da8427eb, cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986, b262292e049ee75d235164df98fa8ed09a9e2a30c5432623856bafd4bd44d801
  • [Hash] Kopiluwak – 6536b6b50aa1f6899ffa90aaf4b1b67c0ae0f6c0441016f5308b37c12141c61d, 8d9bb878a18b2b7ef558504e78a59eb644f83a63679658533ff8accf0b85fda3
  • [Domain] Kopiluwak – manager.surro[.]am
  • [IP] Kopiluwak – 194.67.209[.]186
  • [Hash] Topinambour – 009406c1c7c0b289a25d44dfaa8364633d9b71df5f3c7a65deec1ef00a8c2ebb, 7a7d11adbcb740323eb52b097f535cfa5c281bf07a4d5c4afb0c5182fa4ffd1b
  • [Hash] QUIETCANARY/Tunnus – 0fc624aa9656a8bc21731bfc47fd7780da38a7e8ad7baf1529ccd70a5bb07852, 3f94b20cb7f4ff55207660649ebbb02679c991fe03efbcb0bd3840fc7f0bd527
  • [Domain] QUIETCANARY/Tunnus – lakihelppi[.]com
  • [IP] QUIETCANARY – 46.101.209[.]249, 210.48.231[.]182
  • [Hash] Crutch – 0010ccb822538d1881c61be874af49382c44b6c9cb665081cf0f672cbed5b6a5, 29b1da7b17a7ba3e730e6927058d0554a8bc81bdef88e364097fab0bb1950edc
  • [Hash] ComRAT – 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d, 134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8, 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405, 44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316
  • [Domain] ComRAT – branter[.]tk, wekanda[.]tk, sanitar[.]ml
  • [Hash] Carbon – 493e5fae191950b901764868b065ddddffa4f4c9b497022ee2f998b4a94f0fc2, f3aaa091fdbc8772fb7bd3a81665f4d33c3b62bf98caad6fee4424654ba26429
  • [Domain] Carbon – www.berlinguas[.]com, www.balletmaniacs[.]com
  • [Hash] HyperStack – 6ca0b4efe077fe05b2ae871bf50133c706c7090a54d2c3536a6c86ff454caa9a, 20691ff3c9474cfd7bf6fa3f8720eb7326e6f87f64a1f190861589c1e7397fa5
  • [Hash] TinyTurla – 030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01

Read more: https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint