Skip to content

S0537 HyperStack

HyperStack is a RPC-based backdoor used by Turla since at least 2018. HyperStack has similarities to other backdoors used by Turla including Carbon.1

Item Value
ID S0537
Associated Names
Version 1.0
Created 02 December 2020
Last Modified 04 December 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account HyperStack can enumerate all account names on a remote share.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography HyperStack has used RSA encryption for C2 communications.1
enterprise T1559 Inter-Process Communication HyperStack can connect to the IPC$ share on remote machines.1
enterprise T1112 Modify Registry HyperStack can add the name of its communication pipe to HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipes.1
enterprise T1106 Native API HyperStack can use Windows API’s ConnectNamedPipe and WNetAddConnection2 to detect incoming connections and connect to remote shares.1
enterprise T1078 Valid Accounts -
enterprise T1078.001 Default Accounts HyperStack can use default credentials to connect to IPC$ shares on remote machines.1

Groups That Use This Software

ID Name References
G0010 Turla 1