名称

WhiteBear、VENOMOUS BEAR、Snake、Uroburos、Waterbug

IOC

https://github.com/eset/malware-ioc/tree/master/turla
https://malpedia.caad.fkie.fraunhofer.de/actor/turla_group
https://www.tutorialjinni.com/turla-lightneuron-malware-sample-download.html
https://github.com/mstfknn/malware-sample-library/tree/master/Turla

相关报告

2014年3月23日
Uroburos样本
https://www.circl.lu/pub/tr-25/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082353/GData_Uroburos_RedPaper_EN_v1.pdf

2014年8月7日
卡巴斯基turla介绍和usroburos分析报告
https://securelist.com/the-epic-turla-operation/65545/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf
https://securelist.com/the-penquin-turla-2/67962/
https://securelist.com/agent-btz-a-source-of-inspiration/58551/
https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf

2014年12月9日
turla与Linux
https://www.infoworld.com/article/2857184/the-turla-espionage-operation-also-infected-linux-systems-with-malware.html

2015年9月9日
turla和卫星通信
https://arstechnica.com/information-technology/2015/09/how-highly-advanced-hackers-abused-satellites-to-stay-under-the-radar/
https://boingboing.net/2017/06/08/dvb-s.html
https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/
https://www.e365.info/?p=39508
https://wooyun.js.org/drops/Satellite%20Turla.%20APT%20Command%20and%20Control%20in%20the%20Sky.html

2016年11月29日
相关指控
GRIZZLY STEPPE 
https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf

2017年4月15日
LOKI2
https://www.freebuf.com/articles/network/131613.html
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180251/Penquins_Moonlit_Maze_PDF_eng.pdf

2017年6月21日
turla水坑、Instagram扩展
https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
https://www.forcepoint.com/blog/x-labs/curious-case-reconnaissance-campaign-targeting-ministry-and-embassy-sites

2017年8月17日
KopiLuwak与G20
https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack

2017年8月30日
gazer
https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/
https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer

2018年5月22日
Mosquito后门
https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/
https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf

2018年8月23日
使用PDF文件邮件通信
https://securityaffairs.co/wordpress/75589/malware/turla-backdoor-pdf.html
https://www.bluvector.io/threat-report-turla-apt-group-uses-novel-email-backdoor/
https://www.welivesecurity.com/2018/08/22/turla-unique-outlook-backdoor/
https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf
http://blog.nsfocus.net/microsoft-outlook-turla/

2018年10月4日
Turla更新代码
https://threatpost.com/virus-bulletin-2018-turla-apt-changes-shape-with-new-code-and-targets/137719/
https://securityboulevard.com/2018/10/apt28-gets-the-spotlight-but-turla-remains-russias-elite-hacking-unit/
https://www.secrss.com/articles/5613

2019年5月
LightNeuron
https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
https://www.chainnews.com/articles/768875245554.htm
https://m.threatbook.cn/detail/1453

2018年5月29日
powershell
https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

2019年10月3日
turla对伊朗APT组织工具的劫持伊朗工具Neuron和Nautilus
https://www.bankinfosecurity.com/blogs/turla-teardown-attribute-nation-state-attacks-p-2813
https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims

2019年10月21日
CISA与turla
https://www.us-cert.gov/ncas/current-activity/2019/10/21/nsa-and-ncsc-release-joint-advisory-turla-group-activity
https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_TURLA_20191021%20VER%203%20-%20COPY.PDF

2020年3月12日
turla跟踪
https://www.recordedfuture.com/turla-apt-infrastructure/
2020年3月12日
turla与python、NetFlash和PyFlash
https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/

其他

关键词

Carbon、Agent.btz、Pfinet、Mosquito、KopiLuwak、
修改版的Neuron与Nautilus、Gazer、IcedCoffee、NetFlash、PyFlash

技术内容

  • 卫星通信
  • PDF加密邮件通信
  • 水坑、浏览器漏洞
  • 劫持APT34、使用其他APT工具隐藏自己
  • 使用powershell
  • 使用python