Turla and Snake malware

Vectra’s behavioral coverage is prepared to detect the types of techniques that the threat group known as Turla has been known to perform in the context of an attack.

It was recently announced that the United States, through an FBI operation codenamed Medusa, disrupted the “Snake” malware attributed to a unit of the Federal Security Service of the Russian Federation known as Turla. Turla had used the Snake malware to create a peer-to-peer network that routes data exfiltrated from target systems back to Turla operators in Russia and execute other objectives during a compromise.

While actions were taken by the US government to disable the “Snake” malware, it is advised that organizations who may have been victims of the infection should remain cautious as other malware may have been installed alongside “Snake,” and any exploitable infrastructure that led to the malware being deployed may still remain.

A multi-national advisory was issued alongside the notice of the malware’s disruption that details artifacts and capabilities of the “Snake” malware. Included in that advisory are several Suricata rules which can be deployed using Vectra Match.

The broad set of MITRE ATT&CK tactics and techniques associated with Turla have been well documented over the years and are well covered by Vectra’s behavioral-based threat detection coverage. This coverage applies to both actions that would have been executed by the “Snake” Malware as well as other malware and credentials leveraged by an attacker. Notable alerts related to the techniques known to be used by Turla, including Command and Control via the Peer-To-Peer, Hidden DNS Tunnel, Hidden HTTPS and HTTP Tunnel alerts, Discovery from Port Scan, Port Sweep lateral movement with credentials via Privilege Access Analytics or payloads via Shell Knocker and Exfiltration from Smash & Grab. The attached PDF contains a full break of how Vectra’s coverage maps to the MITRE ATT&CK techniques associated with Turla.

Attachments