
Turla Cyber Campaign: Targeting Pakistan's Critical Infrastructure
Indicators of Compromise
APT Groups1
<p><b>Summary of Actor</b>:Turla Group, also known as Snake or Uroburos, is a sophisticated Russian-speaking cyber-espionage group. It has been active since at least 2004 and is known for targeting government, military, and diplomatic sectors globally. The group employs advanced malware and stealth techniques to maintain long-term access to target networks.</p><p><b>General Features</b>:Turla is known for its sophisticated malware tools, such as Snake, Turla, and Carbon. They use watering hole attacks, spear-phishing emails, and custom malicious software. The group operates with strategic goals, often aligned with Russian geopolitical interests.</p><p><b>Related Other Groups</b>: APT28,APT29,Dragonfly</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Unusual DNS queries</li><li>Suspicious network traffic patterns</li><li>Usage of PowerShell and other scripting tools</li><li>Malicious Office Document attachments</li><li>Usage of compromised infrastructure for C2 servers</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>: In recent years, Turla has been observed leveraging COVID-19 themes in spear-phishing campaigns. They have also been linked to attacks on European governments and institutions, emphasizing their focus on political espionage.</li><li><b>Emerging Trends </b>: Turla has been increasingly using cloud services for Command-and-Control (C2) infrastructure, as well as evolving their malware to evade modern detection mechanisms.</li></ul></p>
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1189 - Drive-by Compromise
ID | Data Source | Data Component | Detects |
Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before. | |||
Monitor for newly constructed files written to disk to gain access to a system through a user visiting a website over the normal course of browsing. | |||
Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data. | |||
Monitor for other unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code. | |||
Look for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, or evidence of Discovery. |
T1105 - Ingress Tool Transfer
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for suspicious activity associated with downloading external content. | |||
Monitor for file creation and files transferred into the network | |||
Monitor for newly constructed network connections that are sent or received by untrusted hosts or creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious. | |||
Monitor network traffic content for files and other potentially malicious content, especially data coming in from abnormal/unknown domain and IPs. | |||
Monitor network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
T1036 - Masquerading
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. [55] Note: For Windows, Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential Masquerading. | |||
Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE". Check and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation.[56] In Linux, the file command may be used to check the file signature.[57] | |||
Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted file accesses that may be associate with Masquerading. | |||
Collecting disk and resource filenames for binaries, comparing that the InternalName, OriginalFilename, and/or ProductName match what is expected, could provide useful leads but may not always be indicative of malicious activity. [58] | |||
Monitor for API calls such as fork() which can be abused to masquerade or manipulate process metadata. | |||
Monitor for newly executed processes that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. The RECYCLER and SystemVolumeInformation directories will be present on every drive. Replace %systemroot% and %windir% with the actual paths as configured by the endpoints. Analytic 1 - Suspicious Run Locations (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND ( Image=":\RECYCLER*" OR Image=":\SystemVolumeInformation*" OR Image="%windir%\Tasks*" OR Image="%systemroot%\debug*") | |||
Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. | |||
Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc. On Windows, Event ID 4698 (Security Log - A scheduled task was created) can be used to alert on the creation of scheduled tasks and provides metadata including the task name and task content (as XML). On Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on invocations of cron, and provides the metadata included when executing the command. | |||
Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. | |||
Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. | |||
Monitor for contextual data about a service/daemon, which may include information such as name, service executable, start type, etc. | |||
Monitor for newly constructed accounts with names that are unusually generic or identical to recently-deleted accounts. |
T1140 - Deobfuscate/Decode Files or Information
ID | Data Source | Data Component | Detects |
Monitor for changes made to files for unexpected modifications that attempt to hide artifacts. On Windows, Event ID 4663 (Security Log - An attempt was made to access an object) can be used to alert on suspicious file accesses (e.g., attempting to write to a file which shouldn’t be further modified) that may coincide with attempts to hide artifacts. | |||
Monitor for newly executed processes that attempt to hide artifacts of an intrusion, such as common archive file applications and extensions (ex: Zip and RAR archive tools), and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. CertUtil.exe may be used to encode and decode a file, including PE and script code. Encoding will convert a file to base64 with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Malicious usage will include decoding an encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis. Analytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The analytic is oriented around the creation of CertUtil.exe processes, which may be used to encode and decode files, including PE and script code. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Analytic 1 - CertUtil with Decode Argument (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\System32\certutil.exe" AND CommandLine= decode ) | |||
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
T1113 - Screen Capture
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation. | |||
Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.[1][2]. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment. |
T1057 - Process Discovery
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for actions that may attempt to get information about running processes on a system. | |||
Monitor for API calls may attempt to get information about running processes on a system. | |||
Monitor for newly executed processes that may attempt to get information about running processes on a system. To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment. Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.Within the built-in Windows Commands:
Analytic 1 - Host Discovery Commands (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image="C:\Windows\\hostname.exe" OR Image="C:\Windows\\ipconfig.exe" OR Image="C:\Windows\\net.exe" OR Image="C:\Windows\\quser.exe" OR Image="C:\Windows\\qwinsta.exe" OR (Image="C:\Windows\\sc.exe" AND (CommandLine=" query " OR CommandLine=" qc ")) OR Image="C:\Windows\\systeminfo.exe" OR Image="C:\Windows\\tasklist.exe" OR Image="C:\Windows\*\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName |
T1056 - Input Capture
ID | Data Source | Data Component | Detects |
Monitor for unusual kernel driver installation activity. Analytic 1 - Unexpected kernel driver installations. index=security sourcetype="WinEventLog:System" EventCode=7045 | where match(Service_Name, "(?i)(keylogger|input|capture|sniff|monitor|keyboard|logger|driver)") | |||
Monitor for changes made to files for unexpected modifications to access permissions and attributes. Analytic 1 - Unexpected file modifications. index=security sourcetype="WinEventLog:Security" EventCode=4663 | where Object_Type="File" AND Access_Mask IN ("0x2", "0x4", "0x20", "0x80", "0x100") | |||
Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState [9] | |||
Monitor for newly executed processes conducting malicious activity | |||
Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. | |||
Monitor for changes made to windows registry keys or values for unexpected modifications |
T1566 - Phishing
ID | Data Source | Data Component | Detects |
Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events. | |||
Monitor for newly constructed files from a phishing messages to gain access to victim systems. | |||
Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18] | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
T1059 - Command and Scripting Interpreter
ID | Data Source | Data Component | Detects |
Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Analytic 1 - Suspicious script execution (sourcetype=WinEventLog:Security OR OR sourcetype=sysmon OR sourcetype=linux_secure OR sourcetype=linux_audit OR sourcetype=mac_os_log OR sourcetype=azure:audit OR sourcetype=o365:audit)| search Image IN ("bash", "sh", "cmd", "powershell", "python", "java", "perl", "ruby", "node", "osascript", "wmic")| eval suspicious_cmds=if(like(command_line, "%Invoke-Obfuscation%") OR like(command_line, "%-EncodedCommand%") OR like(command_line, "%IEX%") OR like(command_line, "%wget%") OR like(command_line, "%curl%"), "Yes", "No") | |||
Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (ex: JScript.dll or vbscript.dll). Analytic 1 - Look for unusual module loads associated with scripting languages. sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational| search EventCode=7 ImageLoaded IN ("C:\Windows\System32\JScript.dll", "C:\Windows\System32\vbscript.dll", "System.Management.Automation.dll") | |||
Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages. Analytic 1 - Look for unusual command and scripting process creation. (sourcetype=WinEventLog:Security OR sourcetype=sysmon OR sourcetype=linux_secure OR sourcetype=linux_audit OR sourcetype=mac_os_log OR sourcetype=azure:audit OR sourcetype=o365:audit)(EventCode=4688 OR EventID=1 OR _raw=sh OR _raw=python OR _raw=powershell OR _raw=cmd OR _raw=script OR _raw=wscript OR _raw=bash) | |||
Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. For example, consider monitoring for Windows Event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[56] | |||
Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Analytic 1 - Look for attempts to enable scripts on the system. index=windows (EventCode=1 OR EventCode=4688 OR EventCode=4103 OR EventCode=4104) (CommandLine="script")| search script_name IN (".ps1", ".sh", ".py", ".rb", ".js", ".vbs")| eval suspicious_script=if(like(script_name, "%.sh") AND hour(_time) NOT BETWEEN 8 AND 18, "Yes", "No")| where suspicious_script="Yes" |
T1102 - Web Service
ID | Data Source | Data Component | Detects |
Monitor for newly constructed network connections that are sent or received by untrusted hosts. | |||
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
T1127 - Trusted Developer Utilities Proxy Execution
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed. | |||
Monitor trusted developer utility activity with unsigned module loads. | |||
Monitor for abnormal presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious. Use process monitoring to monitor the execution and arguments of from developer utilities that may be abused. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development-related tasks, so if it exists and is used outside of that context, then the event may be suspicious. | |||
Evaluate Event Tracing for Windows (ETW) telemetry associated with the execution of developer utilities. |
T1115 - Clipboard Data
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments to collect data stored in the clipboard from users copying information within or between applications. | |||
Monitor API calls that could collect data stored in the clipboard from users copying information within or between applications. |