Turla Analysis

IOB - Indicator of Behavior (729)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en700
it10
de8
fr8
ru4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

fr570
us130
at14
ir4
ro2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Google Chrome30
Microsoft Windows26
Google Android12
Adobe Acrobat Reader10
XStream10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1Atlassian JIRA Server/Data Center Endpoint custom cross site scripting3.53.4$0-$5k$0-$5kNot DefinedOfficial Fix0.040.01055CVE-2021-43942
2Thomas R. Pasawicz HyperBook Guestbook Password Database gbconfiguration.dat Hash information disclosure5.35.2$5k-$25kCalculatingHighWorkaround0.040.04187CVE-2007-1192
3Twilio Authy race condition4.74.5$0-$5kCalculatingNot DefinedOfficial Fix0.010.00885CVE-2020-24655
4Hgiga MailSherlock URL Parameter sql injection8.08.0$0-$5k$0-$5kNot DefinedNot Defined0.020.01055CVE-2021-22848
5shescape _Shescape_ argument injection5.95.6$0-$5k$0-$5kNot DefinedOfficial Fix0.010.00950CVE-2021-21384
6LUCY Security Awareness Software Migration Tool static unrestricted upload8.57.7$0-$5k$0-$5kProof-of-ConceptUnavailable0.030.01156CVE-2021-28132
7Google Android platform.h sound_trigger_event_alloc out-of-bounds write6.56.3$25k-$100k$5k-$25kNot DefinedOfficial Fix0.000.01036CVE-2021-0464
8Apple iOS/iPadOS WebKit memory corruption6.36.0$100k and more$25k-$100kNot DefinedOfficial Fix0.050.02166CVE-2021-1844
9AfterLogic Aurora/WebMail Pro DAV DAVServer.php pathname traversal7.67.6$0-$5k$0-$5kNot DefinedNot Defined0.000.00885CVE-2021-26293
10Mozilla Firefox/Firefox ESR Private Browsing Persistent information disclosure6.46.1$5k-$25kCalculatingNot DefinedOfficial Fix0.000.01537CVE-2017-7843
11OpenSSH Authentication Username information disclosure5.34.8$5k-$25k$0-$5kHighOfficial Fix0.540.49183CVE-2016-6210
12jQuery dataType script.js Cross-Domain cross site scripting5.24.9$0-$5k$0-$5kNot DefinedOfficial Fix0.190.17112CVE-2015-9251
13Sony PS4/PS5 exFAT UVFAT_readupcasetable heap-based overflow6.86.4$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.040.00885CVE-2022-3349
14Microsoft Outlook denial of service5.95.1$5k-$25k$0-$5kUnprovenOfficial Fix0.060.00000CVE-2022-35742
15Securepoint SSL VPN Client Configuration Handling access control5.35.1$0-$5k$0-$5kNot DefinedOfficial Fix0.020.00950CVE-2021-35523
16VMware Spring Cloud Gateway Actuator Endpoint code injection9.89.4$5k-$25k$5k-$25kNot DefinedOfficial Fix0.050.95613CVE-2022-22947
17Apache Log4j JMSSink deserialization6.36.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.100.09148CVE-2022-23302
18Apache Geode Log File log file4.64.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.020.00885CVE-2021-34797
19Microsoft IIS cross site scripting5.24.7$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.410.25090CVE-2017-0055
20OpenWrt DDNS Package detail.lua command injection7.57.5$0-$5k$0-$5kNot DefinedOfficial Fix0.000.01055CVE-2021-28961

Campaigns (3)

These are the campaigns that can be associated with the actor:

IOC - Indicator of Compromise (48)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsTypeConfidence
15.255.93.228TurlaverifiedHigh
245.153.241.162TurlaverifiedHigh
362.12.39.117TurlaWaterbugverifiedHigh
462.68.73.57TurlaWaterbugverifiedHigh
562.212.226.118TurlaWaterbugverifiedHigh
666.178.107.140TurlaWhitebearverifiedHigh
770.32.39.219am-smartsales.comTurlaverifiedHigh
872.232.222.58HOST.MJSHOSTING.COMTurlaWaterbugverifiedHigh
977.232.99.77TurlaverifiedHigh
1079.110.52.218TurlaverifiedHigh
11XX.XX.XXX.XXxxxxx.xx-xxxx.xxxXxxxxverifiedHigh
12XX.XX.XXX.XXXXxxxxXxxxxxxxverifiedHigh
13XX.XXX.XX.XXXXxxxxverifiedHigh
14XX.XXX.XX.XXXxx-xxx-xx-xxx.xxxxxx.xxxxxxxxxxx.xxXxxxxverifiedHigh
15XX.XX.XXX.XXXxxxxxx.xx.xx.xxx.xxx.xxxxxxxxx.xxxxxx.xxXxxxxXxxxxxxxverifiedHigh
16XX.XXX.XX.XXxx.xx.xxx.xx.xxxxxx-xxxxxxx.xxxXxxxxXxxxxxxxverifiedHigh
17XX.XXX.XX.XXxx.xx.xxx.xx.xxxxxx-xxxxxxx.xxxXxxxxXxxxxxxxverifiedHigh
18XX.XXX.XXX.XXXXxxxxXxxxxxxxverifiedHigh
19XX.XX.XX.XXxxxxxxx.xxxxxxxxxxxxxx.xxxXxxxxXxxxxxxverifiedHigh
20XX.XX.XXX.XXXxxxxxxxx.xxxxxxxxxxxxx.xxXxxxxverifiedHigh
21XX.XXX.XXX.XXXXxxxxXxxxxxxxverifiedHigh
22XX.XXX.XX.XXXxxxxxxxx.xxxxxxxxxxxx.xxxXxxxxverifiedHigh
23XX.XX.XXX.XXXxxxxx.xxxxxxx.xxXxxxxverifiedHigh
24XX.XXX.XXX.XXXXxxxxverifiedHigh
25XXX.XXX.XXX.XXxx.xxx.xxx.xxx.xx-xxxx.xxxxXxxxxverifiedHigh
26XXX.XX.XX.Xxxxxxx.xxxxxxx.xxxXxxxxverifiedHigh
27XXX.XXX.XX.XXxxxxxxx.xxxXxxxxXxxxxxxverifiedHigh
28XXX.XXX.XXX.XXXXxxxxverifiedHigh
29XXX.XXX.XX.XXXxxxxverifiedHigh
30XXX.XX.XXX.XXXXxxxxXxxxxxxxverifiedHigh
31XXX.XX.XX.XXXxxxxxxxxx.xxxXxxxxverifiedHigh
32XXX.XX.XXX.XXXxxxxXxxxxxxxverifiedHigh
33XXX.XXX.X.XXXxxxxverifiedHigh
34XXX.XXX.X.XXXxxxxverifiedHigh
35XXX.XXX.X.XXXXxxxxverifiedHigh
36XXX.XXX.X.XXXXxxxxverifiedHigh
37XXX.XXX.X.XXXXxxxxverifiedHigh
38XXX.XXX.X.XXXXxxxxverifiedHigh
39XXX.XX.XXX.XXxx-xx-xxx-xx.xxx.xxx.xxXxxxxXxxxxxxxverifiedHigh
40XXX.XXX.XX.XXXxxxxverifiedHigh
41XXX.XXX.XX.XXXxxx-xx.xxxxx.xxxxxxx.xxXxxxxXxxxxxxxverifiedHigh
42XXX.XXX.XXX.XXxxxxxx-xx-xxx-xxx-xxx-xx.xxxxxx.xx-xxxx.xxxXxxxxverifiedHigh
43XXX.X.XX.XXXxxxxXxxxxxxxverifiedHigh
44XXX.X.XX.XXXxxxxXxxxxxxxverifiedHigh
45XXX.XX.XX.XXXxxxxxx-xxx.xx.xx.xxx.xx-xxxx.xxxxXxxxxverifiedHigh
46XXX.XXX.XXX.XXXXxxxxXxxxxxxxverifiedHigh
47XXX.XX.XXX.XXXxxxxxxxxx.xxxxxxxxx.xxxXxxxxverifiedHigh
48XXX.XXX.XX.XXXxxx.xx.xxx.xxx.xxxxxxx.xxxXxxxxverifiedHigh

TTP - Tactics, Techniques, Procedures (23)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IOA - Indicator of Attack (160)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File%APPDATA%\Securepoint SSL VPNpredictiveHigh
2File/Api/ASFpredictiveMedium
3File/etc/shadowpredictiveMedium
4File/etc/target/saveconfig.jsonpredictiveHigh
5File/execpredictiveLow
6File/form/index.php?module=getjsonpredictiveHigh
7File/hcms/admin/index.php/language/ajaxpredictiveHigh
8File/jsonrpcpredictiveMedium
9File/product.phppredictiveMedium
10File/ram/pckg/advanced-tools/nova/bin/netwatchpredictiveHigh
11File/redpass.cgipredictiveMedium
12File/registerCpepredictiveMedium
13File/rest/collectors/1.0/template/custompredictiveHigh
14File/system?action=ServiceAdminpredictiveHigh
15File/uncpath/predictiveMedium
16File/UploadspredictiveMedium
17File/User/saveUserpredictiveHigh
18File/webapps/Bb-sites-user-profile-BBLEARN/profile.formpredictiveHigh
19File/wp-admin/customization.phppredictiveHigh
20Filex.xxx.xxx\xxxx\xxxxxxxx.xxxpredictiveHigh
21Filexxxxxx/xxxxxxxxxxxpredictiveHigh
22Filexxxxx.xxxpredictiveMedium
23Filexxxxx/xxxxxxxxx.xxxpredictiveHigh
24Filexxxxx/xxxxx.xxxpredictiveHigh
25Filexxxxx/xxxxxxx/xxx-xxxxxx-xxxxxxxxx/xxxxxxx/xxxxx-xxxxxx-xxxxxxxxx-xxxx.xxxpredictiveHigh
26Filexxxxx_xxxxxx.xxxpredictiveHigh
27Filexxx_xxxx.xxpredictiveMedium
28Filexxxxxxxxxxxx/xxxx-xxx-xxxx/xxxxxx/xxxxx/xxx/xxxx/xxxxxx.xxxpredictiveHigh
29Filexxxxx_xxxx.xxxpredictiveHigh
30Filexxx.xxxpredictiveLow
31Filex:\xxxxxxxxxxxxx\predictiveHigh
32Filex:\xxxxxxxxxxxx\predictiveHigh
33Filex:\xxxpredictiveLow
34Filex:\xxxxxxxxxx.xxx\predictiveHigh
35Filexxxxxx.xpredictiveMedium
36Filexxxxx/predictiveLow
37Filexxx-xxx/xx.xxxpredictiveHigh
38Filexxxxx/xxxxxxxx-xxxxxxxxx/xxxxxxxxxxxxxxx.xxxxx.xxxpredictiveHigh
39Filexxx.xxxpredictiveLow
40Filexxxxx/xxx_xxxxx.xpredictiveHigh
41Filexxxxxx/xxx.xpredictiveMedium
42Filexxxxxxx.xxxpredictiveMedium
43Filexxxx.xxpredictiveLow
44Filexxxxxxxx_xxxx.xxpredictiveHigh
45FilexxxxxxxpredictiveLow
46Filexxxxxx/xxx.xxxpredictiveHigh
47Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
48Filexxxxxx.xxxpredictiveMedium
49Filexxxxxxxxx.xxxpredictiveHigh
50Filexxxx/xxxxxxx.xpredictiveHigh
51Filexxxxxxxxxxx.xxxpredictiveHigh
52Filexxxxxx.xpredictiveMedium
53Filexxx.xxxpredictiveLow
54Filexxxxxxxxxxxx.xxxpredictiveHigh
55Filexxxxxxxxxxx.xxxpredictiveHigh
56Filexxxxxxx/xxxx/xxxxxxx/xxxxxxx_xxx.xpredictiveHigh
57Filexxxxxxxxxx.xxxpredictiveHigh
58Filexxxxxxx.xxxpredictiveMedium
59Filexxxxxxxx.xpredictiveMedium
60Filexxx/xxxx/xxxx.xpredictiveHigh
61Filexxx/xxxx/xxxx_xxxxxx.xpredictiveHigh
62Filexxxx.xxpredictiveLow
63Filexxxxxxxx.xxxpredictiveMedium
64Filexxx.xxxpredictiveLow
65Filexxx-xxxxx.xpredictiveMedium
66Filexxxx_xxxx.xpredictiveMedium
67Filexxxxxxx/xxxxxxxxx/xxxxxxxxx/xxxxxxxxx/xxx_xxxxxxxxxxxxx.xxxpredictiveHigh
68Filexxxxxxxx/xxxxx-xxxx-xxxxxxx.xxxpredictiveHigh
69Filexxxxx.xxpredictiveMedium
70Filexxxxx.xxxpredictiveMedium
71Filexxxxx_xxxxx.xxxpredictiveHigh
72Filexxxx/xxxxpredictiveMedium
73Filexxxxxxxxx/xxxxxxx/xxxxx.xxxpredictiveHigh
74Filexxxxxx.xpredictiveMedium
75Filexxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
76Filexxxxxxxxxxxxxx.xxxpredictiveHigh
77Filexxxxxxxxxxx/xx_xxxxx.xpredictiveHigh
78Filexxxxxxxxxxx/xx_xxxxxxxxxx.xpredictiveHigh
79Filexxxxxxxxxx/xxx/xxxxxx.xpredictiveHigh
80Filexxx_xxxxx_xxxxx.xpredictiveHigh
81Filexx_xxxxxx.xpredictiveMedium
82Filexxxxxxxxxxx.xxxpredictiveHigh
83Filexxxxxxxx.xpredictiveMedium
84Filexxxxxxx.xxpredictiveMedium
85Filexxxx.xxxpredictiveMedium
86Filexxxxxxxx/xxxxxx.xpredictiveHigh
87Filexxxxxx/xxxxxx/xxxxxxpredictiveHigh
88Filexxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
89Filexxxxxxxx/xxxxx/xxxxxxxx?xxxxxxxxpredictiveHigh
90Filexxxxxx.xxpredictiveMedium
91Filexxxxxx.xxxx.xxxpredictiveHigh
92Filexxxx-xxxxxxxx.xxxpredictiveHigh
93Filexxxxxxx.xxx.xx.xxxxxxxxxxx.xxxpredictiveHigh
94Filexxxxxxxxx.xxxpredictiveHigh
95Filexxxx-xxxxxxxx.xxxpredictiveHigh
96Filexxxx_xxxxx.xpredictiveMedium
97Filexxxx.xxxxpredictiveMedium
98Filexxxxx/xxxxx.xxpredictiveHigh
99Filexxx/xxx-xxxxxxx-xxxx.xxxpredictiveHigh
100Filexxxxxxx/xxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
101Filexxxxxxx.xxxpredictiveMedium
102Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
103Filexx-xxxxx.xxxpredictiveMedium
104Libraryxxxxxxxxx.xxxpredictiveHigh
105Libraryxxxxxxxx.xxxpredictiveMedium
106Libraryxxxxxxxxxx.xxxpredictiveHigh
107Libraryxxxxxx.xxxpredictiveMedium
108Libraryxxxxxxxx.xxxpredictiveMedium
109Libraryxxxxx.xxxpredictiveMedium
110ArgumentxxxxxxxxxxpredictiveMedium
111ArgumentxxxpredictiveLow
112Argumentxxx_xxxpredictiveLow
113ArgumentxxxxxxxxxxxpredictiveMedium
114ArgumentxxxxxxxxpredictiveMedium
115Argumentxx_xx_xxxxxxx_xxxxx_xxxxx_xxxxx_xx/xx_xx_xxxxxxx_xxxxx_xxx_xxxx/xx_xx_xxxxxxx_xxxxx_xx_xxx/xxxxxxx_xxxx_xxxx/xx_xx_xxxxxxx_xxxxx_xx_xxxpredictiveHigh
116ArgumentxxxxpredictiveLow
117ArgumentxxxpredictiveLow
118ArgumentxxxxxxxxxxpredictiveMedium
119ArgumentxxxxxxxxxxxpredictiveMedium
120ArgumentxxxpredictiveLow
121ArgumentxxxxxxxxpredictiveMedium
122ArgumentxxxxpredictiveLow
123ArgumentxxxxpredictiveLow
124ArgumentxxxxxxpredictiveLow
125ArgumentxxxxxxxpredictiveLow
126ArgumentxxxxxxpredictiveLow
127ArgumentxxxxpredictiveLow
128Argumentxxxx_xxxx/xxxxxxx_xxxxxxxxxxxpredictiveHigh
129ArgumentxxpredictiveLow
130Argumentxx_xxx/xx_xxxpredictiveHigh
131Argumentxxxx_xxxxx_xxx_xxxxxxxpredictiveHigh
132ArgumentxxxxxxxxxpredictiveMedium
133Argumentxxxxxxxx_xxxpredictiveMedium
134ArgumentxxpredictiveLow
135Argumentxxxx xxxxpredictiveMedium
136Argumentxxx_xxpredictiveLow
137ArgumentxxxxxxxxpredictiveMedium
138ArgumentxxxxxxxxxxxxpredictiveMedium
139Argumentxxx[xxxx_xx]predictiveMedium
140Argumentxxxxxxxxx xxxxxxpredictiveHigh
141ArgumentxxxxxxpredictiveLow
142ArgumentxxxxxxpredictiveLow
143ArgumentxxxxxxxxpredictiveMedium
144ArgumentxxxxxxxxpredictiveMedium
145Argumentxxxxxxx xxxxpredictiveMedium
146Argumentxx_xxxxxxxpredictiveMedium
147ArgumentxxxxpredictiveLow
148Argumentxxxx_xxxxxpredictiveMedium
149Argumentxxxxx/xxxpredictiveMedium
150Argumentxxxxxxx/xxxxxxxxxxxpredictiveHigh
151ArgumentxxxxxxxxxxxpredictiveMedium
152Argumentxxxxxxxx-xxxxxxxxxx-xxxxxpredictiveHigh
153ArgumentxxxxpredictiveLow
154ArgumentxxxxxxxpredictiveLow
155ArgumentxxxxxxxxpredictiveMedium
156Argumentxxxx_xxxxxx/xxxxx_xxxxxxpredictiveHigh
157Argument_xxxxpredictiveLow
158Argument_xxx_xxxxxxxxxxx_predictiveHigh
159Input Valuexxx_xxxxxxxxpredictiveMedium
160Network Portxxx/xxxx (xx-xxx)predictiveHigh

References (12)

The following list contains external sources which discuss the actor and the associated activities:

Do you need the next level of professionalism?

Upgrade your account now!