TinyTurla
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter:Windows Command Shell | |
| Enterprise | T1005 | Data from Local System | ||
| Enterprise | T1573 | .002 | Encrypted Channel:Asymmetric Cryptography | TinyTurla has the ability to encrypt C2 traffic with SSL/TLS.[1] |
| Enterprise | T1008 | Fallback Channels | TinyTurla can go through a list of C2 server IPs and will try to register with each until one responds.[1] | |
| Enterprise | T1105 | Ingress Tool Transfer | TinyTurla has the ability to act as a second-stage dropper used to infect the system with additional malware.[1] | |
| Enterprise | T1036 | .004 | Masquerading:Masquerade Task or Service | TinyTurla has mimicked an existing Windows service by being installed as |
| .005 | Masquerading:Match Legitimate Resource Name or Location | TinyTurla has been deployed as | ||
| Enterprise | T1112 | Modify Registry | TinyTurla can set its configuration parameters in the Registry.[1] | |
| Enterprise | T1106 | Native API | TinyTurla has used | |
| Enterprise | T1027 | .011 | Obfuscated Files or Information:Fileless Storage | TinyTurla can save its configuration parameters in the Registry.[1] |
| Enterprise | T1012 | Query Registry | TinyTurla can query the Registry for its configuration information.[1] | |
| Enterprise | T1029 | Scheduled Transfer | TinyTurla contacts its C2 based on a scheduled timing set in its configuration.[1] | |
| Enterprise | T1569 | .002 | System Services:Service Execution | TinyTurla can install itself as a service on compromised machines.[1] |