← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Satellite Turla: APT Command and Control in the Sky
WHITE Turla Group AlienVault 2015-09-09 Modified: 2019-01-23
59
IOCs
HIGH VOLUME
Also known as Snake or Uroburos, names which come from its top class rootkit, the Turla cyber-espionage group has been active for more than 8 years. Several papers have been published about the group’s operations, but until the Epic Turla research was published by Kaspersky Lab, little information was available about the more unusual aspects of their operations, such as the first stages of infection through watering-hole attacks. What makes the Turla group special is not just the complexity of its tools, which include the Uroboros rootkit, aka “Snake”, as well as mechanisms designed to bypass air gaps through multi-stage proxy networks inside LANs, but the exquisite satellite-based C&C mechanism used in the latter stages of the attack.
turlarussiaaptsatelliteepic turlac&ckaspersky
Indicators of Compromise (59)
All hostname FileHash-MD5
TYPEINDICATORDESCRIPTIONCREATED
hostname coldriver.strangled.net 2017-08-24
hostname music-world.servemp3.com 2017-08-24
hostname newutils.3utilities.com 2017-08-24
hostname x-files.zapto.org 2017-08-24
hostname sealand.publicvm.com 2017-08-24
hostname fifa-rules.25u.com 2017-08-24
hostname top-facts.sytes.net 2017-08-24
hostname goldenroade.strangled.net 2017-08-24
hostname radiobutton.mooo.com 2017-08-24
hostname pressforum.serveblog.net 2017-08-24
hostname nhl-blog.servegame.com 2017-08-24
hostname marketplace.servehttp.com 2017-08-24
hostname supercar.ignorelist.com 2017-08-24
hostname developarea.mooo.com 2017-08-24
hostname tiger.got-game.org 2017-08-24
hostname easport-news.publicvm.com 2017-08-24
hostname health-everyday.faqserv.com 2017-08-24
hostname supernews.sytes.net 2017-08-24
hostname industrywork.mooo.com 2017-08-24
hostname newgame.2waky.com 2017-08-24
hostname softstream.strangled.net 2017-08-24
hostname greateplan.ocry.com 2017-08-24
hostname leagueoflegends.servequake.com 2017-08-24
hostname mediahistory.linkpc.net 2017-08-24
hostname wargame.ignorelist.com 2017-08-24
hostname bookstore.strangled.net 2017-08-24
hostname weather-online.hopto.org 2017-08-24
hostname supernews.instanthq.com 2017-08-24
hostname highhills.ignorelist.com 2017-08-24
hostname cars-online.zapto.org 2017-08-24
hostname wintersport.mrbasic.com 2017-08-24
hostname onlineshop.sellclassics.com 2017-08-24
hostname new-book.linkpc.net 2017-08-24
hostname track.strangled.net 2017-08-24
hostname forum.sytes.net 2017-08-24
hostname olympik-blog.4dq.com 2017-08-24
hostname bug.ignorelist.com 2017-08-24
hostname nightstreet.toh.info 2017-08-24
hostname sportacademy.my03.com 2017-08-24
hostname accessdest.strangled.net 2017-08-24
hostname hockey-news.servehttp.com 2017-08-24
hostname sportnewspaper.strangled.net 2017-08-24
hostname chinafood.chickenkiller.com 2017-08-24
hostname downtown.crabdance.com 2017-08-24
hostname telesport.mooo.com 2017-08-24
hostname eurovision.chickenkiller.com 2017-08-24
hostname securesource.strangled.net 2017-08-24
FileHash-MD5 594cb9523e32a5bbf4eb1c491f06d4f9 2017-08-24
FileHash-MD5 d5bd7211332d31dcead4bfb07b288473 2017-08-24
FileHash-MD5 18da7eea4e8a862a19c8c4f10d7341c0 2017-08-24
FileHash-MD5 49d6cf436aa7bc5314aa4e78608872d8 2017-08-24
FileHash-MD5 bcfee2fb5dbc111bfa892ff9e19e45c1 2017-08-24
FileHash-MD5 b0a1301bc25cfbe66afe596272f56475 2017-08-24
FileHash-MD5 2a7670aa9d1cc64e61fd50f9f64296f9 2017-08-24
FileHash-MD5 f5916f8f004ffb85e93b4d205576a247 2017-08-24
FileHash-MD5 e29a3cc864d943f0e3ede404a32f4189 2017-08-24
FileHash-MD5 d6211fec96c60114d41ec83874a1b31d 2017-08-24
FileHash-MD5 a44ee30f9f14e156ac0c2137af595cf7 2017-08-24
FileHash-MD5 0328dedfce54e185ad395ac44aa4223c 2017-08-24
References (1)
↗ https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/