S0091 Epic
Epic is a backdoor that has been used by Turla. 1
| Item | Value |
|---|---|
| ID | S0091 |
| Associated Names | Tavdig, Wipbot, WorldCupSec, TadjMakhal |
| Type | MALWARE |
| Version | 1.3 |
| Created | 31 May 2017 |
| Last Modified | 26 October 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Tavdig | 1 |
| Wipbot | 1 |
| WorldCupSec | 1 |
| TadjMakhal | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | Epic gathers a list of all user accounts, privilege classes, and time of last logon.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Epic uses HTTP and HTTPS for C2 communications.12 |
| enterprise | T1560 | Archive Collected Data | Epic encrypts collected data using a public key framework before sending it over the C2 channel.1 Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server.2 |
| enterprise | T1560.002 | Archive via Library | Epic compresses the collected data with bzip2 before sending it to the C2 server.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Epic encrypts commands from the C2 server using a hardcoded key.1 |
| enterprise | T1083 | File and Directory Discovery | Epic recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\Temp directories.12 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Epic has a command to delete a file from the machine.2 |
| enterprise | T1027 | Obfuscated Files or Information | Epic heavily obfuscates its code to make analysis more difficult.1 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.001 | Local Groups | Epic gathers information on local group names.2 |
| enterprise | T1057 | Process Discovery | Epic uses the tasklist /v command to obtain a list of processes.12 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.011 | Extra Window Memory Injection | Epic has overwritten the function pointer in the extra window memory of Explorer’s Shell_TrayWnd in order to execute malicious code in the context of the explorer.exe process.3 |
| enterprise | T1012 | Query Registry | Epic uses the rem reg query command to obtain values from Registry keys.1 |
| enterprise | T1018 | Remote System Discovery | Epic uses the net view command on the victim’s machine.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Epic searches for anti-malware services running on the victim’s machine and terminates itself if it finds them.1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | Turla has used valid digital certificates from Sysprint AG to sign its Epic dropper.1 |
| enterprise | T1082 | System Information Discovery | Epic collects the OS version, hardware information, computer name, available system memory status, disk space information, and system and user language settings.2 |
| enterprise | T1016 | System Network Configuration Discovery | Epic uses the nbtstat -n and nbtstat -s commands on the victim’s machine.1 |
| enterprise | T1049 | System Network Connections Discovery | Epic uses the net use, net session, and netstat commands to gather information on network connections.12 |
| enterprise | T1033 | System Owner/User Discovery | Epic collects the user name from the victim’s machine.2 |
| enterprise | T1007 | System Service Discovery | Epic uses the tasklist /svc command to list the services on the system.1 |
| enterprise | T1124 | System Time Discovery | Epic uses the net time command to get the system time from the machine and collect the current date and time zone information.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0010 | Turla | 14 |
References
-
Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018. ↩↩↩↩↩↩↩↩↩↩↩
-
Boutin, J. and Faou, M. (2018). Visiting the snake nest. Retrieved May 7, 2019. ↩
-
Secureworks CTU. (n.d.). IRON HUNTER. Retrieved February 22, 2022. ↩