TURLA’s new phishing-based reconnaissance campaign in Eastern Europe
Tags
country: Austria Belarus China Estonia Latvia Lithuania Russia Ukraine
maec-delivery-vectors: Watering Hole
attack-pattern: Botnet - T1583.005 Botnet - T1584.005 Domains - T1583.001 Domains - T1584.001 Gather Victim Host Information - T1592 Gather Victim Network Information - T1590 Ip Addresses - T1590.005 Phishing - T1660 Phishing - T1566 Server - T1583.004 Server - T1584.004 Software - T1592.002 Spearphishing Link - T1566.002 Spearphishing Link - T1598.003 Spearphishing Link - T1192
Show in Graph
Common Information
Type Value
UUID 182fc34c-eb39-4c59-a3b9-bf980cdae6f0
Fingerprint f5852dbf1637f780
Analysis status DONE
Considered CTI value 2
Text language
Published May 23, 2022, 8:57 a.m.
Added to db Oct. 24, 2023, 1:46 p.m.
Last updated Nov. 17, 2024, 6:54 p.m.
Headline TURLA’s new phishing-based reconnaissance campaign in Eastern Europe
Title TURLA’s new phishing-based reconnaissance campaign in Eastern Europe
Detected Hints/Tags/Attributes 81/3/20
Source URLs
Redirection Url
Details Source https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/
URL Provider
Details Provider Source level domain
Details sekoia.io blog.sekoia.io
Attributes
Details Type #Events CTI Value
Details Domain 118 
sekoia.io
Details Domain 2 
wkoinfo.webredirect.org
Details Domain 2 
jadlactnato.webredirect.org
Details Domain 1 
baltdefcol.webredirect.org
Details Domain 1 
www.baltdefcol.org
Details Domain 1 
wko.at
Details Domain 1 
jadl.act.nato.int
Details File 44 
logo.png
Details File 3 
rels.xml
Details md5 1 
f6e755e2af0231a614975d64ea3c8116
Details md5 1 
f223e046dd4e3f98bfeb1263a78ff080
Details IPv4 1 
79.110.52.218
Details IPv4 1 
45.153.241.162
Details IPv4 1 
149.154.157.11
Details MITRE ATT&CK Techniques 12 
T1598.003
Details MITRE ATT&CK Techniques 14 
T1590.005
Details MITRE ATT&CK Techniques 16 
T1592.002
Details Threat Actor Identifier - APT 783 
APT28
Details Url 1 
https://jadl.act.nato.int
Details Yara rule 1 
rule apt_TURLA_ExternalPNGDocument_strings {
	meta:
		id = "51413d41-d0f4-4e1a-9f12-322921e48977"
		version = "1.0"
		intrusion_set = "TURLA"
		description = "Detects external logo embedded in DOCX documents"
		source = "SEKOIA"
		creation_date = "2022-05-05"
		modification_date = "2022-05-05"
		classification = "TLP:GREEN"
	strings:
		$s1 = "/relationships/image"
		$s2 = /[0-9]{3,10}\/logo\.png/
		$s3 = "TargetMode=\"External\"/><"
	condition:
		$s1 in (filesize - 400 .. filesize) and $s2 in (filesize - 400 .. filesize) and $s3 in (filesize - 400 .. filesize)
}