Skip to content

S0091 Epic

Epic is a backdoor that has been used by Turla. 1

Item Value
ID S0091
Associated Names Tavdig, Wipbot, WorldCupSec, TadjMakhal
Version 1.3
Created 31 May 2017
Last Modified 26 October 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Tavdig 1
Wipbot 1
WorldCupSec 1
TadjMakhal 1

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Epic gathers a list of all user accounts, privilege classes, and time of last logon.2
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Epic uses HTTP and HTTPS for C2 communications.12
enterprise T1560 Archive Collected Data Epic encrypts collected data using a public key framework before sending it over the C2 channel.1 Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server.2
enterprise T1560.002 Archive via Library Epic compresses the collected data with bzip2 before sending it to the C2 server.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Epic encrypts commands from the C2 server using a hardcoded key.1
enterprise T1083 File and Directory Discovery Epic recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\Temp directories.12
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Epic has a command to delete a file from the machine.2
enterprise T1027 Obfuscated Files or Information Epic heavily obfuscates its code to make analysis more difficult.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups Epic gathers information on local group names.2
enterprise T1057 Process Discovery Epic uses the tasklist /v command to obtain a list of processes.12
enterprise T1055 Process Injection -
enterprise T1055.011 Extra Window Memory Injection Epic has overwritten the function pointer in the extra window memory of Explorer’s Shell_TrayWnd in order to execute malicious code in the context of the explorer.exe process.3
enterprise T1012 Query Registry Epic uses the rem reg query command to obtain values from Registry keys.1
enterprise T1018 Remote System Discovery Epic uses the net view command on the victim’s machine.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Epic searches for anti-malware services running on the victim’s machine and terminates itself if it finds them.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Turla has used valid digital certificates from Sysprint AG to sign its Epic dropper.1
enterprise T1082 System Information Discovery Epic collects the OS version, hardware information, computer name, available system memory status, disk space information, and system and user language settings.2
enterprise T1016 System Network Configuration Discovery Epic uses the nbtstat -n and nbtstat -s commands on the victim’s machine.1
enterprise T1049 System Network Connections Discovery Epic uses the net use, net session, and netstat commands to gather information on network connections.12
enterprise T1033 System Owner/User Discovery Epic collects the user name from the victim’s machine.2
enterprise T1007 System Service Discovery Epic uses the tasklist /svc command to list the services on the system.1
enterprise T1124 System Time Discovery Epic uses the net time command to get the system time from the machine and collect the current date and time zone information.1

Groups That Use This Software

ID Name References
G0010 Turla 14


Back to top