Turla Outlook White Paper
Severity: highType: unknown
Turla Outlook White Paper
AI Analysis
Technical Summary
The Turla Outlook White Paper describes a threat associated with the Turla group, a well-known advanced persistent threat (APT) actor. This threat involves the exploitation of Microsoft Outlook through a technique known as Component Object Model (COM) hijacking (MITRE ATT&CK T1122). COM hijacking allows attackers to manipulate the way Outlook components are loaded and executed, enabling them to persist within the victim's environment and evade detection. The primary objective of this threat is email collection (MITRE ATT&CK T1114), which involves unauthorized access to and exfiltration of sensitive email communications. The attack targets sectors such as academic and research institutions and government entities, particularly within Western Europe. The threat is characterized by medium certainty and medium threat level, indicating that while the indicators of compromise (IOCs) and technical details are not fully confirmed, there is credible intelligence suggesting active targeting. No specific affected product versions or patches are identified, and no known exploits in the wild have been reported. The persistence mechanism through COM hijacking suggests a sophisticated approach to maintain long-term access and data collection capabilities. The lack of patch availability and the use of legitimate system components for hijacking complicate detection and mitigation efforts. Overall, this threat represents a targeted espionage campaign leveraging Outlook's architecture to harvest sensitive email data from high-value targets in Western Europe.
Potential Impact
For European organizations, especially those in government and academic sectors, this threat poses significant risks to confidentiality and operational security. Successful exploitation can lead to unauthorized access to sensitive communications, intellectual property theft, and potential exposure of classified or proprietary information. The persistence enabled by COM hijacking increases the likelihood of prolonged undetected presence, allowing attackers to conduct extensive reconnaissance and data exfiltration. This can undermine trust in communication systems, disrupt diplomatic or research collaborations, and potentially influence policy or research outcomes. The targeting of Western Europe aligns with geopolitical interests, making organizations in this region particularly vulnerable to espionage activities. Additionally, the lack of known patches and the sophisticated nature of the attack vector complicate incident response and remediation efforts, potentially increasing recovery time and costs.
Mitigation Recommendations
To mitigate this threat, European organizations should implement advanced monitoring of Outlook and COM component behaviors to detect anomalies indicative of hijacking attempts. Employ application whitelisting and integrity verification for COM components to prevent unauthorized modifications. Regularly audit and restrict permissions related to COM registrations and Outlook add-ins to limit the attack surface. Deploy endpoint detection and response (EDR) solutions capable of identifying suspicious persistence mechanisms and unusual email access patterns. Enhance network segmentation to isolate critical systems and limit lateral movement. Conduct threat hunting exercises focusing on indicators of COM hijacking and email exfiltration tactics. Implement strict access controls and multi-factor authentication for email accounts to reduce the risk of credential compromise. Finally, maintain up-to-date threat intelligence feeds and collaborate with national cybersecurity agencies to stay informed about emerging tactics used by the Turla group.
Affected Countries
France, Germany, United Kingdom, Belgium, Netherlands, Italy, Spain
Indicators of Compromise
- file: %appdata%\Microsoft\Windows\scawrdot.db
- file: %appdata%\Microsoft\Windows\flobcsnd.dat
- file: mapid.tlb
- file: msmime.dll
- regkey: HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}
- regkey: HKCU\Software\Classes\CLSID\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}
- regkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\ZonePolicy\
- url: https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf
- link: https://github.com/eset/malware-ioc/tree/master/turla
- file: Eset-Turla-Outlook-Backdoor.pdf
- yara: rule turla_outlook_log { meta: author = "ESET Research" date = "22-08-2018" description = "First bytes of the encrypted Turla Outlook logs" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: //Log begin: [...] TVer $s1 = {01 87 C9 75 C8 69 98 AC E0 C9 7B [21] EB BB 60 BB 5A} condition: $s1 at 0 }
- yara: rule outlook_misty1 { meta: author = "ESET Research" date = "22-08-2018" description = "Detects the Turla MISTY1 implementation" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: //and edi, 1FFh $o1 = {81 E7 FF 01 00 00} //shl ecx, 9 $s1 = {C1 E1 09} //xor ax, si $s2 = {66 33 C6} //shr eax, 7 $s3 = {C1 E8 07} $o2 = {8B 11 8D 04 1F 50 03 D3 8D 4D C4} condition: $o2 and for all i in (1..#o1): (for all of ($s*) : ($ in (@o1[i] -500 ..@o1[i] + 500))) }
- yara: rule turla_outlook_gen { meta: author = "ESET Research" date = "22-08-2018" description = "Turla Outlook malware" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: $s1 = "Outlook" ascii wide $s2 = "Outlook Express" ascii wide $s3 = "Outlook watchdog" ascii wide $s4 = "Software\\RIT\\The Bat!" ascii wide $s5 = "Mail Event Window" ascii wide $s6 = "Software\\Mozilla\\Mozilla Thunderbird\\Profiles" ascii wide $s7 = "%%PDF-1.4\n%%%c%c\n" ascii wide $s8 = "%Y-%m-%dT%H:%M:%S+0000" ascii wide $s9 = "rctrl_renwnd32" ascii wide $s10 = "NetUIHWND" ascii wide $s11 = "homePostalAddress" ascii wide $s12 = "/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=" ascii wide $s13 = "Re:|FWD:|AW:|FYI:|NT|QUE:" ascii wide $s14 = "IPM.Note" ascii wide $s15 = "MAPILogonEx" ascii wide $s16 = "pipe\\The Bat! %d CmdLine" ascii wide $s17 = "PowerShellRunner.dll" ascii wide $s18 = "cmd container" ascii wide $s19 = "mapid.tlb" ascii wide nocase $s20 = "Content-Type: F)*+" ascii wide fullword condition: 5 of them }
- yara: import "pe"rule turla_outlook_exports { meta: author = "ESET Research" date = "22-08-2018" description = "Export names of Turla Outlook Malware" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" condition: (pe.exports("install") or pe.exports("Install")) and pe.exports("TBP_Initialize") and pe.exports("TBP_Finalize") and pe.exports("TBP_GetName") and pe.exports("DllRegisterServer") and pe.exports("DllGetClassObject") }
- yara: rule turla_outlook_filenames { meta: author = "ESET Research" date = "22-08-2018" description = "Turla Outlook filenames" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: $s1 = "mapid.tlb" $s2 = "msmime.dll" $s3 = "scawrdot.db" condition: any of them }
- yara: rule turla_outlook_pdf { meta: author = "ESET Research" date = "22-08-2018" description = "Detect PDF documents generated by Turla Outlook malware" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: $s1 = "Adobe PDF Library 9.0" ascii wide nocase $s2 = "Acrobat PDFMaker 9.0" ascii wide nocase $s3 = {FF D8 FF E0 00 10 4A 46 49 46} $s4 = {00 3F 00 FD FC A2 8A 28 03 FF D9} $s5 = "W5M0MpCehiHzreSzNTczkc9d" ascii wide nocase $s6 = "PDF-1.4" ascii wide nocase condition: 5 of them }
- text: Turla
- link: https://wws.cert-ist.com/private/fr/IocAttack_details?format=html&objectType=ATK&ref=CERT-IST/ATK-2017-023
- comment: Snake
- comment: Uroburos
- comment: Venomous Bear
- comment: KRYPTON
- comment: Waterbug
- comment: WhiteBear
- comment: these IOCs originate in a report by ESET regarding the OUtlook backdoor used in an attack against European government institutions in 2016 and 2017. The extremely stealthy Outlook backdoor receives commands by e-mail, and also exfiltrates data by e-mail via PDF attachments. To do this, it uses the legitimate Microsoft Outlook application installed on the infected computer.
- comment: Outlook
- target-location: Germany
- target-location: France
- datetime: 2015-12-31T23:00:00+00:00
- datetime: 2018-08-21T22:00:00+00:00
- link: https://www.welivesecurity.com/2018/08/22/turla-unique-outlook-backdoor/
- link: https://www.virustotal.com/file/e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b/analysis/1535552262/
- text: 48/65
- text: Bkav (1.3.0.8876) Detection: No detection MicroWorld-eScan (14.0.297.0) Detection: Trojan.GenericKD.1592844 CMC (1.1.0.977) Detection: No detection CAT-QuickHeal (14.00) Detection: Trojan.Turla McAfee (6.0.6.653) Detection: Trojan-FDTA!7009AF646C6C Cylance (2.3.1.101) Detection: Unsafe Zillya (2.0.0.3626) Detection: Trojan.Turla.Win32.32 TheHacker (6.8.0.5.3634) Detection: No detection K7GW (10.61.28222) Detection: Trojan ( 00461fd31 ) K7AntiVirus (10.61.28220) Detection: Trojan ( 00461fd31 ) TrendMicro (10.0.0.1040) Detection: BKDR_TURLA.YKV Baidu (1.0.0.2) Detection: No detection Babable (9107201) Detection: No detection Cyren (6.0.0.4) Detection: W32/Trojan.WMSS-2180 Symantec (1.7.0.0) Detection: Trojan.Turla ESET-NOD32 (17963) Detection: Win32/Turla.N TrendMicro-HouseCall (9.950.0.1006) Detection: BKDR_TURLA.YKV Paloalto (1.0) Detection: generic.ml ClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0 Kaspersky (15.0.1.13) Detection: HEUR:Trojan.Win32.Turla.gen BitDefender (7.2) Detection: Trojan.GenericKD.1592844 NANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.dflvwp ViRobot (2014.3.20.0) Detection: No detection AegisLab (4.2) Detection: Trojan.Win32.Turla.m!c Avast (18.4.3895.0) Detection: Win32:Turla-P [Trj] Rising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (TFE:6:kpEFpblqr3J) Endgame (3.0.1) Detection: No detection Sophos (4.98.0) Detection: Troj/Turla-F Comodo (None) Detection: No detection F-Secure (11.0.19100.45) Detection: Trojan.GenericKD.1592844 DrWeb (7.0.33.6080) Detection: BackDoor.Turla.27 VIPRE (69182) Detection: Trojan.Win32.Generic!BT Invincea (6.3.5.26121) Detection: No detection McAfee-GW-Edition (v2017.3010) Detection: Trojan-FDTA!7009AF646C6C Emsisoft (2018.4.0.1029) Detection: Trojan.GenericKD.1592844 (B) SentinelOne (1.0.17.227) Detection: No detection F-Prot (4.7.1.166) Detection: W32/Turla.H Jiangmin (16.0.100) Detection: Backdoor/Turla.b Webroot (1.0.0.403) Detection: W32.Trojan.GenKD Avira (8.3.3.6) Detection: TR/Rogue.290816.12 MAX (2017.11.15.1) Detection: malware (ai score=83) Antiy-AVL (3.0.0.1) Detection: Trojan/Win32.SGeneric Kingsoft (2013.8.14.323) Detection: Win32.Troj.Generic.a.(kcloud) Microsoft (1.1.15200.1) Detection: Trojan:Win32/Turla!dha Arcabit (1.0.0.833) Detection: Trojan.Generic.D184E0C SUPERAntiSpyware (5.6.0.1032) Detection: No detection ZoneAlarm (1.0) Detection: HEUR:Trojan.Win32.Turla.gen Avast-Mobile (180828-12) Detection: No detection GData (A:25.18286B:25.13082) Detection: Win32.Trojan.Jyuqet.A@gen AhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Turla.C341973 VBA32 (3.33.0) Detection: BScope.Trojan.Bitrep AVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT TACHYON (2018-08-29.02) Detection: No detection Ad-Aware (3.0.5.370) Detection: Trojan.GenericKD.1592844 Malwarebytes (2.1.1.1115) Detection: No detection Zoner (1.0) Detection: No detection Tencent (1.0.0.1) Detection: Win32.Trojan.Url.Tiir Yandex (5.5.1.3) Detection: Trojan.Turla!rVc9OA48pYU Ikarus (0.1.5.2) Detection: Trojan.SuspectCRC eGambit (None) Detection: No detection Fortinet (5.4.247.0) Detection: W32/Turla.N!tr AVG (18.4.3895.0) Detection: Win32:Turla-P [Trj] Panda (4.6.4.2) Detection: Trj/Genetic.gen CrowdStrike (1.0) Detection: No detection Qihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.2f9
- datetime: 2018-08-29T14:17:42
- hash: 7009af646c6c3e6abc0af744152ca968
- hash: 8a7e2399a61ec025c15d06ecdd9b7b37d6245ec2
- hash: e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b
- link: https://www.virustotal.com/file/6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f/analysis/1535608377/
- text: 44/65
- text: Bkav (1.3.0.8876) Detection: No detection MicroWorld-eScan (14.0.297.0) Detection: Trojan.Generic.21818445 CMC (1.1.0.977) Detection: No detection CAT-QuickHeal (14.00) Detection: Trojan.Turla McAfee (6.0.6.653) Detection: RDN/Generic.com Cylance (2.3.1.101) Detection: Unsafe TheHacker (6.8.0.5.3634) Detection: No detection K7GW (10.61.28228) Detection: Trojan ( 004fb2be1 ) K7AntiVirus (10.61.28226) Detection: Trojan ( 004fb2be1 ) TrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18 Baidu (1.0.0.2) Detection: No detection Babable (9107201) Detection: No detection F-Prot (4.7.1.166) Detection: W32/Turla.I Symantec (1.7.0.0) Detection: Trojan.Gen.2 ESET-NOD32 (17964) Detection: a variant of Win32/Turla.R TrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18 Paloalto (1.0) Detection: generic.ml ClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0 Kaspersky (15.0.1.13) Detection: Trojan.Win32.Turla.ak BitDefender (7.2) Detection: Trojan.Generic.21818445 NANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.enykkt ViRobot (2014.3.20.0) Detection: No detection SUPERAntiSpyware (5.6.0.1032) Detection: No detection Avast (18.4.3895.0) Detection: Win32:Malware-gen Tencent (1.0.0.1) Detection: Win32.Trojan.Turla.Lqey Ad-Aware (3.0.5.370) Detection: Trojan.Generic.21818445 Sophos (4.98.0) Detection: Mal/Generic-S Comodo (None) Detection: No detection F-Secure (11.0.19100.45) Detection: Trojan.Generic.21818445 DrWeb (7.0.33.6080) Detection: BackDoor.Turla.111 VIPRE (69200) Detection: No detection Invincea (6.3.5.26121) Detection: heuristic McAfee-GW-Edition (v2017.3010) Detection: RDN/Generic.com Emsisoft (2018.4.0.1029) Detection: Trojan.Generic.21818445 (B) SentinelOne (1.0.17.227) Detection: No detection Cyren (6.0.0.4) Detection: W32/Trojan.XKJO-4284 Jiangmin (16.0.100) Detection: No detection Webroot (1.0.0.403) Detection: No detection Avira (8.3.3.6) Detection: TR/AD.Turla.ckypp Antiy-AVL (3.0.0.1) Detection: No detection Kingsoft (2013.8.14.323) Detection: No detection Microsoft (1.1.15200.1) Detection: Trojan:Win32/Occamy.C Endgame (3.0.1) Detection: No detection Arcabit (1.0.0.833) Detection: Trojan.Generic.D14CEC4D AegisLab (4.2) Detection: Trojan.Win32.Turla.4!c ZoneAlarm (1.0) Detection: Trojan.Win32.Turla.ak Avast-Mobile (180828-12) Detection: No detection GData (A:25.18288B:25.13086) Detection: Trojan.Generic.21818445 TACHYON (2018-08-29.02) Detection: Trojan/W32.Turla.388096 AhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Occamy.C2678124 ALYac (1.1.1.5) Detection: Trojan.Turla.Gen AVware (1.6.0.52) Detection: No detection MAX (2017.11.15.1) Detection: malware (ai score=100) VBA32 (3.33.0) Detection: BScope.Trojan.Bitrep Malwarebytes (2.1.1.1115) Detection: No detection Zoner (1.0) Detection: No detection Rising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (CLOUD) Yandex (5.5.1.3) Detection: Trojan.Turla!WCZg2q7ERNg Ikarus (0.1.5.2) Detection: Trojan.Win32.Turla eGambit (None) Detection: No detection Fortinet (5.4.247.0) Detection: W32/Turla.AK!tr AVG (18.4.3895.0) Detection: Win32:Malware-gen Panda (4.6.4.2) Detection: Trj/GdSda.A CrowdStrike (1.0) Detection: No detection Qihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.de0
- datetime: 2018-08-30T05:52:57
- hash: af8889f4705145d4390ee8d581f45436
- hash: cf943895684c6ff8d1e922a76b71a188cfb371d7
- hash: 6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f
- hash: 851dffa6cd611dc70c9a0d5b487ff00bc3853f30
- link: https://www.virustotal.com/file/881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867/analysis/1535536658/
- text: 48/67
- text: Bkav (1.3.0.8876) Detection: W32.eHeur.Malware10 MicroWorld-eScan (14.0.297.0) Detection: Gen:Variant.Zusy.258575 CMC (1.1.0.977) Detection: No detection CAT-QuickHeal (14.00) Detection: TrojanSpy.Agent McAfee (6.0.6.653) Detection: GenericRXCJ-OD!FF8C3F362D7C Cylance (2.3.1.101) Detection: Unsafe Zillya (2.0.0.3626) Detection: No detection TheHacker (6.8.0.5.3634) Detection: No detection K7GW (10.61.28216) Detection: Trojan ( 005097051 ) K7AntiVirus (10.61.28217) Detection: Trojan ( 005097051 ) Arcabit (1.0.0.833) Detection: Trojan.Zusy.D3F20F TrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18 Baidu (1.0.0.2) Detection: No detection Babable (9107201) Detection: No detection Cyren (6.0.0.4) Detection: W32/Trojan.AMKO-3554 Symantec (1.7.0.0) Detection: Trojan.Turla ESET-NOD32 (17962) Detection: Win32/Turla.AW TrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18 Avast (18.4.3895.0) Detection: Win32:Malware-gen ClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657713-1 Kaspersky (15.0.1.13) Detection: Trojan-Spy.Win32.Agent.dewe BitDefender (7.2) Detection: Gen:Variant.Zusy.258575 NANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Agent.enbjod ViRobot (2014.3.20.0) Detection: No detection AegisLab (4.2) Detection: Troj.W32.Gen.lJ0K Rising (25.0.0.24) Detection: Spyware.Agent!8.C6 (CLOUD) Ad-Aware (3.0.5.370) Detection: Gen:Variant.Zusy.258575 Emsisoft (2018.4.0.1029) Detection: Gen:Variant.Zusy.258575 (B) Comodo (None) Detection: No detection F-Secure (11.0.19100.45) Detection: Gen:Variant.Zusy.258575 DrWeb (7.0.33.6080) Detection: Trojan.MulDrop7.22438 VIPRE (69176) Detection: Trojan.Win32.Generic!BT Invincea (6.3.5.26121) Detection: heuristic McAfee-GW-Edition (v2017.3010) Detection: BehavesLike.Win32.Generic.hc Sophos (4.98.0) Detection: Mal/Generic-S SentinelOne (1.0.17.227) Detection: No detection F-Prot (4.7.1.166) Detection: W32/Turla.G Jiangmin (16.0.100) Detection: No detection Webroot (1.0.0.403) Detection: No detection Avira (8.3.3.6) Detection: TR/Crypt.ZPACK.gpbbw Antiy-AVL (3.0.0.1) Detection: No detection Kingsoft (2013.8.14.323) Detection: No detection Endgame (3.0.1) Detection: malicious (high confidence) Microsoft (1.1.15200.1) Detection: TrojanSpy:Win32/Skeeyah.A!rfn SUPERAntiSpyware (5.6.0.1032) Detection: No detection ZoneAlarm (1.0) Detection: Trojan-Spy.Win32.Agent.dewe Avast-Mobile (180828-12) Detection: No detection GData (A:25.18285B:25.13082) Detection: Gen:Variant.Zusy.258575 TACHYON (2018-08-29.02) Detection: No detection AhnLab-V3 (3.13.1.21616) Detection: No detection ALYac (1.1.1.5) Detection: Trojan.Turla.Gen AVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT MAX (2017.11.15.1) Detection: malware (ai score=100) VBA32 (3.33.0) Detection: TrojanSpy.Agent Malwarebytes (2.1.1.1115) Detection: No detection Panda (4.6.4.2) Detection: Trj/GdSda.A Zoner (1.0) Detection: No detection Tencent (1.0.0.1) Detection: Win32.Trojan-spy.Agent.Egye Yandex (5.5.1.3) Detection: TrojanSpy.Agent!7mlehJopBxA Ikarus (0.1.5.2) Detection: Trojan.Win32.Turla eGambit (None) Detection: No detection Fortinet (5.4.247.0) Detection: Generik.KSPWBSP!tr AVG (18.4.3895.0) Detection: Win32:Malware-gen Cybereason (1.2.27) Detection: malicious.62d7c9 Paloalto (1.0) Detection: generic.ml CrowdStrike (1.0) Detection: malicious_confidence_70% (D) Qihoo-360 (1.0.0.1120) Detection: Win32/Trojan.d45
- datetime: 2018-08-29T09:57:38
- hash: ff8c3f362d7c9b9a19cfa09b4b3cfc75
- hash: f992abe8a67120667a01b88cd5bf11ca39d491a0
- hash: 881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867
Turla Outlook White Paper
High
Unknownmisp-galaxy:threat-actor="turla group"misp-galaxy:mitre-attack-pattern="component object model hijacking"misp-galaxy:mitre-attack-pattern="email collection"misp-galaxy:mitre-enterprise-attack-attack-pattern="component object model hijacking - t1122"misp-galaxy:mitre-enterprise-attack-attack-pattern="email collection - t1114"tlp:whitetype:osintosint:lifetime="perpetual"osint:certainty="50"cert-ist:threat_targeted_sector="academic and research"cert-ist:threat_targeted_sector="gov"cert-ist:threat_targeted_region="western europe"cert-ist:enrichedcert-ist:ioc_accuracy="medium"cert-ist:threat_level="medium"cert-ist:threat_type="apt"tlp:amberbr_cti_investigarosint:source-type="block-or-filter-list"
Published: Fri Aug 17 2018 (08/17/2018, 00:00:00 UTC)
Source: CIRCL OSINT Feed
Vendor/Project: tlp
Product: white
Description
Turla Outlook White Paper
AI-Powered Analysis
AILast updated: 07/09/2025, 13:54:56 UTC
Technical Analysis
The Turla Outlook White Paper describes a threat associated with the Turla group, a well-known advanced persistent threat (APT) actor. This threat involves the exploitation of Microsoft Outlook through a technique known as Component Object Model (COM) hijacking (MITRE ATT&CK T1122). COM hijacking allows attackers to manipulate the way Outlook components are loaded and executed, enabling them to persist within the victim's environment and evade detection. The primary objective of this threat is email collection (MITRE ATT&CK T1114), which involves unauthorized access to and exfiltration of sensitive email communications. The attack targets sectors such as academic and research institutions and government entities, particularly within Western Europe. The threat is characterized by medium certainty and medium threat level, indicating that while the indicators of compromise (IOCs) and technical details are not fully confirmed, there is credible intelligence suggesting active targeting. No specific affected product versions or patches are identified, and no known exploits in the wild have been reported. The persistence mechanism through COM hijacking suggests a sophisticated approach to maintain long-term access and data collection capabilities. The lack of patch availability and the use of legitimate system components for hijacking complicate detection and mitigation efforts. Overall, this threat represents a targeted espionage campaign leveraging Outlook's architecture to harvest sensitive email data from high-value targets in Western Europe.
Potential Impact
For European organizations, especially those in government and academic sectors, this threat poses significant risks to confidentiality and operational security. Successful exploitation can lead to unauthorized access to sensitive communications, intellectual property theft, and potential exposure of classified or proprietary information. The persistence enabled by COM hijacking increases the likelihood of prolonged undetected presence, allowing attackers to conduct extensive reconnaissance and data exfiltration. This can undermine trust in communication systems, disrupt diplomatic or research collaborations, and potentially influence policy or research outcomes. The targeting of Western Europe aligns with geopolitical interests, making organizations in this region particularly vulnerable to espionage activities. Additionally, the lack of known patches and the sophisticated nature of the attack vector complicate incident response and remediation efforts, potentially increasing recovery time and costs.
Mitigation Recommendations
To mitigate this threat, European organizations should implement advanced monitoring of Outlook and COM component behaviors to detect anomalies indicative of hijacking attempts. Employ application whitelisting and integrity verification for COM components to prevent unauthorized modifications. Regularly audit and restrict permissions related to COM registrations and Outlook add-ins to limit the attack surface. Deploy endpoint detection and response (EDR) solutions capable of identifying suspicious persistence mechanisms and unusual email access patterns. Enhance network segmentation to isolate critical systems and limit lateral movement. Conduct threat hunting exercises focusing on indicators of COM hijacking and email exfiltration tactics. Implement strict access controls and multi-factor authentication for email accounts to reduce the risk of credential compromise. Finally, maintain up-to-date threat intelligence feeds and collaborate with national cybersecurity agencies to stay informed about emerging tactics used by the Turla group.
Affected Countries
Need more detailed analysis?Get Pro
Pro Feature
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- 5b773e07-e694-458b-b99c-27f30a016219
- Original Timestamp
- 1750309209
Indicators of Compromise
File
| Value | Description | Copy |
|---|---|---|
file%appdata%\Microsoft\Windows\scawrdot.db | — | |
file%appdata%\Microsoft\Windows\flobcsnd.dat | — | |
filemapid.tlb | — | |
filemsmime.dll | — | |
fileEset-Turla-Outlook-Backdoor.pdf | https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf |
Regkey
| Value | Description | Copy |
|---|---|---|
regkeyHKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066} | COM hijacking | |
regkeyHKCU\Software\Classes\CLSID\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D} | COM hijacking | |
regkeyHKCU\Software\Microsoft\Windows\CurrentVersion\Settings\ZonePolicy\ | Virtual File System |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf | White Paper |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://github.com/eset/malware-ioc/tree/master/turla | — | |
linkhttps://wws.cert-ist.com/private/fr/IocAttack_details?format=html&objectType=ATK&ref=CERT-IST/ATK-2017-023 | Cert-IST External link | |
linkhttps://www.welivesecurity.com/2018/08/22/turla-unique-outlook-backdoor/ | — | |
linkhttps://www.virustotal.com/file/e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b/analysis/1535552262/ | — | |
linkhttps://www.virustotal.com/file/6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f/analysis/1535608377/ | — | |
linkhttps://www.virustotal.com/file/881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867/analysis/1535536658/ | — |
Yara
| Value | Description | Copy |
|---|---|---|
yararule turla_outlook_log { meta: author = "ESET Research" date = "22-08-2018" description = "First bytes of the encrypted Turla Outlook logs" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: //Log begin: [...] TVer $s1 = {01 87 C9 75 C8 69 98 AC E0 C9 7B [21] EB BB 60 BB 5A} condition: $s1 at 0 } | Merged from event 11961 | |
yararule outlook_misty1 { meta: author = "ESET Research" date = "22-08-2018" description = "Detects the Turla MISTY1 implementation" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: //and edi, 1FFh $o1 = {81 E7 FF 01 00 00} //shl ecx, 9 $s1 = {C1 E1 09} //xor ax, si $s2 = {66 33 C6} //shr eax, 7 $s3 = {C1 E8 07} $o2 = {8B 11 8D 04 1F 50 03 D3 8D 4D C4} condition: $o2 and for all i in (1..#o1): (for all of ($s*) : ($ in (@o1[i] -500 ..@o1[i] + 500))) } | Merged from event 11961 | |
yararule turla_outlook_gen { meta: author = "ESET Research" date = "22-08-2018" description = "Turla Outlook malware" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: $s1 = "Outlook" ascii wide $s2 = "Outlook Express" ascii wide $s3 = "Outlook watchdog" ascii wide $s4 = "Software\\RIT\\The Bat!" ascii wide $s5 = "Mail Event Window" ascii wide $s6 = "Software\\Mozilla\\Mozilla Thunderbird\\Profiles" ascii wide $s7 = "%%PDF-1.4\n%%%c%c\n" ascii wide $s8 = "%Y-%m-%dT%H:%M:%S+0000" ascii wide $s9 = "rctrl_renwnd32" ascii wide $s10 = "NetUIHWND" ascii wide $s11 = "homePostalAddress" ascii wide $s12 = "/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=" ascii wide $s13 = "Re:|FWD:|AW:|FYI:|NT|QUE:" ascii wide $s14 = "IPM.Note" ascii wide $s15 = "MAPILogonEx" ascii wide $s16 = "pipe\\The Bat! %d CmdLine" ascii wide $s17 = "PowerShellRunner.dll" ascii wide $s18 = "cmd container" ascii wide $s19 = "mapid.tlb" ascii wide nocase $s20 = "Content-Type: F)*+" ascii wide fullword condition: 5 of them } | Merged from event 11961 | |
yaraimport "pe"rule turla_outlook_exports { meta: author = "ESET Research" date = "22-08-2018" description = "Export names of Turla Outlook Malware" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" condition: (pe.exports("install") or pe.exports("Install")) and pe.exports("TBP_Initialize") and pe.exports("TBP_Finalize") and pe.exports("TBP_GetName") and pe.exports("DllRegisterServer") and pe.exports("DllGetClassObject") } | Merged from event 11961 | |
yararule turla_outlook_filenames { meta: author = "ESET Research" date = "22-08-2018" description = "Turla Outlook filenames" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: $s1 = "mapid.tlb" $s2 = "msmime.dll" $s3 = "scawrdot.db" condition: any of them } | Merged from event 11961 | |
yararule turla_outlook_pdf { meta: author = "ESET Research" date = "22-08-2018" description = "Detect PDF documents generated by Turla Outlook malware" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: $s1 = "Adobe PDF Library 9.0" ascii wide nocase $s2 = "Acrobat PDFMaker 9.0" ascii wide nocase $s3 = {FF D8 FF E0 00 10 4A 46 49 46} $s4 = {00 3F 00 FD FC A2 8A 28 03 FF D9} $s5 = "W5M0MpCehiHzreSzNTczkc9d" ascii wide nocase $s6 = "PDF-1.4" ascii wide nocase condition: 5 of them } | Merged from event 11961 |
Text
| Value | Description | Copy |
|---|---|---|
textTurla | Cert-IST Attack name | |
text48/65 | — | |
textBkav (1.3.0.8876) Detection: No detection
MicroWorld-eScan (14.0.297.0) Detection: Trojan.GenericKD.1592844
CMC (1.1.0.977) Detection: No detection
CAT-QuickHeal (14.00) Detection: Trojan.Turla
McAfee (6.0.6.653) Detection: Trojan-FDTA!7009AF646C6C
Cylance (2.3.1.101) Detection: Unsafe
Zillya (2.0.0.3626) Detection: Trojan.Turla.Win32.32
TheHacker (6.8.0.5.3634) Detection: No detection
K7GW (10.61.28222) Detection: Trojan ( 00461fd31 )
K7AntiVirus (10.61.28220) Detection: Trojan ( 00461fd31 )
TrendMicro (10.0.0.1040) Detection: BKDR_TURLA.YKV
Baidu (1.0.0.2) Detection: No detection
Babable (9107201) Detection: No detection
Cyren (6.0.0.4) Detection: W32/Trojan.WMSS-2180
Symantec (1.7.0.0) Detection: Trojan.Turla
ESET-NOD32 (17963) Detection: Win32/Turla.N
TrendMicro-HouseCall (9.950.0.1006) Detection: BKDR_TURLA.YKV
Paloalto (1.0) Detection: generic.ml
ClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0
Kaspersky (15.0.1.13) Detection: HEUR:Trojan.Win32.Turla.gen
BitDefender (7.2) Detection: Trojan.GenericKD.1592844
NANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.dflvwp
ViRobot (2014.3.20.0) Detection: No detection
AegisLab (4.2) Detection: Trojan.Win32.Turla.m!c
Avast (18.4.3895.0) Detection: Win32:Turla-P [Trj]
Rising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (TFE:6:kpEFpblqr3J)
Endgame (3.0.1) Detection: No detection
Sophos (4.98.0) Detection: Troj/Turla-F
Comodo (None) Detection: No detection
F-Secure (11.0.19100.45) Detection: Trojan.GenericKD.1592844
DrWeb (7.0.33.6080) Detection: BackDoor.Turla.27
VIPRE (69182) Detection: Trojan.Win32.Generic!BT
Invincea (6.3.5.26121) Detection: No detection
McAfee-GW-Edition (v2017.3010) Detection: Trojan-FDTA!7009AF646C6C
Emsisoft (2018.4.0.1029) Detection: Trojan.GenericKD.1592844 (B)
SentinelOne (1.0.17.227) Detection: No detection
F-Prot (4.7.1.166) Detection: W32/Turla.H
Jiangmin (16.0.100) Detection: Backdoor/Turla.b
Webroot (1.0.0.403) Detection: W32.Trojan.GenKD
Avira (8.3.3.6) Detection: TR/Rogue.290816.12
MAX (2017.11.15.1) Detection: malware (ai score=83)
Antiy-AVL (3.0.0.1) Detection: Trojan/Win32.SGeneric
Kingsoft (2013.8.14.323) Detection: Win32.Troj.Generic.a.(kcloud)
Microsoft (1.1.15200.1) Detection: Trojan:Win32/Turla!dha
Arcabit (1.0.0.833) Detection: Trojan.Generic.D184E0C
SUPERAntiSpyware (5.6.0.1032) Detection: No detection
ZoneAlarm (1.0) Detection: HEUR:Trojan.Win32.Turla.gen
Avast-Mobile (180828-12) Detection: No detection
GData (A:25.18286B:25.13082) Detection: Win32.Trojan.Jyuqet.A@gen
AhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Turla.C341973
VBA32 (3.33.0) Detection: BScope.Trojan.Bitrep
AVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT
TACHYON (2018-08-29.02) Detection: No detection
Ad-Aware (3.0.5.370) Detection: Trojan.GenericKD.1592844
Malwarebytes (2.1.1.1115) Detection: No detection
Zoner (1.0) Detection: No detection
Tencent (1.0.0.1) Detection: Win32.Trojan.Url.Tiir
Yandex (5.5.1.3) Detection: Trojan.Turla!rVc9OA48pYU
Ikarus (0.1.5.2) Detection: Trojan.SuspectCRC
eGambit (None) Detection: No detection
Fortinet (5.4.247.0) Detection: W32/Turla.N!tr
AVG (18.4.3895.0) Detection: Win32:Turla-P [Trj]
Panda (4.6.4.2) Detection: Trj/Genetic.gen
CrowdStrike (1.0) Detection: No detection
Qihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.2f9 | — | |
text44/65 | — | |
textBkav (1.3.0.8876) Detection: No detection
MicroWorld-eScan (14.0.297.0) Detection: Trojan.Generic.21818445
CMC (1.1.0.977) Detection: No detection
CAT-QuickHeal (14.00) Detection: Trojan.Turla
McAfee (6.0.6.653) Detection: RDN/Generic.com
Cylance (2.3.1.101) Detection: Unsafe
TheHacker (6.8.0.5.3634) Detection: No detection
K7GW (10.61.28228) Detection: Trojan ( 004fb2be1 )
K7AntiVirus (10.61.28226) Detection: Trojan ( 004fb2be1 )
TrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18
Baidu (1.0.0.2) Detection: No detection
Babable (9107201) Detection: No detection
F-Prot (4.7.1.166) Detection: W32/Turla.I
Symantec (1.7.0.0) Detection: Trojan.Gen.2
ESET-NOD32 (17964) Detection: a variant of Win32/Turla.R
TrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18
Paloalto (1.0) Detection: generic.ml
ClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0
Kaspersky (15.0.1.13) Detection: Trojan.Win32.Turla.ak
BitDefender (7.2) Detection: Trojan.Generic.21818445
NANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.enykkt
ViRobot (2014.3.20.0) Detection: No detection
SUPERAntiSpyware (5.6.0.1032) Detection: No detection
Avast (18.4.3895.0) Detection: Win32:Malware-gen
Tencent (1.0.0.1) Detection: Win32.Trojan.Turla.Lqey
Ad-Aware (3.0.5.370) Detection: Trojan.Generic.21818445
Sophos (4.98.0) Detection: Mal/Generic-S
Comodo (None) Detection: No detection
F-Secure (11.0.19100.45) Detection: Trojan.Generic.21818445
DrWeb (7.0.33.6080) Detection: BackDoor.Turla.111
VIPRE (69200) Detection: No detection
Invincea (6.3.5.26121) Detection: heuristic
McAfee-GW-Edition (v2017.3010) Detection: RDN/Generic.com
Emsisoft (2018.4.0.1029) Detection: Trojan.Generic.21818445 (B)
SentinelOne (1.0.17.227) Detection: No detection
Cyren (6.0.0.4) Detection: W32/Trojan.XKJO-4284
Jiangmin (16.0.100) Detection: No detection
Webroot (1.0.0.403) Detection: No detection
Avira (8.3.3.6) Detection: TR/AD.Turla.ckypp
Antiy-AVL (3.0.0.1) Detection: No detection
Kingsoft (2013.8.14.323) Detection: No detection
Microsoft (1.1.15200.1) Detection: Trojan:Win32/Occamy.C
Endgame (3.0.1) Detection: No detection
Arcabit (1.0.0.833) Detection: Trojan.Generic.D14CEC4D
AegisLab (4.2) Detection: Trojan.Win32.Turla.4!c
ZoneAlarm (1.0) Detection: Trojan.Win32.Turla.ak
Avast-Mobile (180828-12) Detection: No detection
GData (A:25.18288B:25.13086) Detection: Trojan.Generic.21818445
TACHYON (2018-08-29.02) Detection: Trojan/W32.Turla.388096
AhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Occamy.C2678124
ALYac (1.1.1.5) Detection: Trojan.Turla.Gen
AVware (1.6.0.52) Detection: No detection
MAX (2017.11.15.1) Detection: malware (ai score=100)
VBA32 (3.33.0) Detection: BScope.Trojan.Bitrep
Malwarebytes (2.1.1.1115) Detection: No detection
Zoner (1.0) Detection: No detection
Rising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (CLOUD)
Yandex (5.5.1.3) Detection: Trojan.Turla!WCZg2q7ERNg
Ikarus (0.1.5.2) Detection: Trojan.Win32.Turla
eGambit (None) Detection: No detection
Fortinet (5.4.247.0) Detection: W32/Turla.AK!tr
AVG (18.4.3895.0) Detection: Win32:Malware-gen
Panda (4.6.4.2) Detection: Trj/GdSda.A
CrowdStrike (1.0) Detection: No detection
Qihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.de0 | — | |
text48/67 | — | |
textBkav (1.3.0.8876) Detection: W32.eHeur.Malware10
MicroWorld-eScan (14.0.297.0) Detection: Gen:Variant.Zusy.258575
CMC (1.1.0.977) Detection: No detection
CAT-QuickHeal (14.00) Detection: TrojanSpy.Agent
McAfee (6.0.6.653) Detection: GenericRXCJ-OD!FF8C3F362D7C
Cylance (2.3.1.101) Detection: Unsafe
Zillya (2.0.0.3626) Detection: No detection
TheHacker (6.8.0.5.3634) Detection: No detection
K7GW (10.61.28216) Detection: Trojan ( 005097051 )
K7AntiVirus (10.61.28217) Detection: Trojan ( 005097051 )
Arcabit (1.0.0.833) Detection: Trojan.Zusy.D3F20F
TrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18
Baidu (1.0.0.2) Detection: No detection
Babable (9107201) Detection: No detection
Cyren (6.0.0.4) Detection: W32/Trojan.AMKO-3554
Symantec (1.7.0.0) Detection: Trojan.Turla
ESET-NOD32 (17962) Detection: Win32/Turla.AW
TrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18
Avast (18.4.3895.0) Detection: Win32:Malware-gen
ClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657713-1
Kaspersky (15.0.1.13) Detection: Trojan-Spy.Win32.Agent.dewe
BitDefender (7.2) Detection: Gen:Variant.Zusy.258575
NANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Agent.enbjod
ViRobot (2014.3.20.0) Detection: No detection
AegisLab (4.2) Detection: Troj.W32.Gen.lJ0K
Rising (25.0.0.24) Detection: Spyware.Agent!8.C6 (CLOUD)
Ad-Aware (3.0.5.370) Detection: Gen:Variant.Zusy.258575
Emsisoft (2018.4.0.1029) Detection: Gen:Variant.Zusy.258575 (B)
Comodo (None) Detection: No detection
F-Secure (11.0.19100.45) Detection: Gen:Variant.Zusy.258575
DrWeb (7.0.33.6080) Detection: Trojan.MulDrop7.22438
VIPRE (69176) Detection: Trojan.Win32.Generic!BT
Invincea (6.3.5.26121) Detection: heuristic
McAfee-GW-Edition (v2017.3010) Detection: BehavesLike.Win32.Generic.hc
Sophos (4.98.0) Detection: Mal/Generic-S
SentinelOne (1.0.17.227) Detection: No detection
F-Prot (4.7.1.166) Detection: W32/Turla.G
Jiangmin (16.0.100) Detection: No detection
Webroot (1.0.0.403) Detection: No detection
Avira (8.3.3.6) Detection: TR/Crypt.ZPACK.gpbbw
Antiy-AVL (3.0.0.1) Detection: No detection
Kingsoft (2013.8.14.323) Detection: No detection
Endgame (3.0.1) Detection: malicious (high confidence)
Microsoft (1.1.15200.1) Detection: TrojanSpy:Win32/Skeeyah.A!rfn
SUPERAntiSpyware (5.6.0.1032) Detection: No detection
ZoneAlarm (1.0) Detection: Trojan-Spy.Win32.Agent.dewe
Avast-Mobile (180828-12) Detection: No detection
GData (A:25.18285B:25.13082) Detection: Gen:Variant.Zusy.258575
TACHYON (2018-08-29.02) Detection: No detection
AhnLab-V3 (3.13.1.21616) Detection: No detection
ALYac (1.1.1.5) Detection: Trojan.Turla.Gen
AVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT
MAX (2017.11.15.1) Detection: malware (ai score=100)
VBA32 (3.33.0) Detection: TrojanSpy.Agent
Malwarebytes (2.1.1.1115) Detection: No detection
Panda (4.6.4.2) Detection: Trj/GdSda.A
Zoner (1.0) Detection: No detection
Tencent (1.0.0.1) Detection: Win32.Trojan-spy.Agent.Egye
Yandex (5.5.1.3) Detection: TrojanSpy.Agent!7mlehJopBxA
Ikarus (0.1.5.2) Detection: Trojan.Win32.Turla
eGambit (None) Detection: No detection
Fortinet (5.4.247.0) Detection: Generik.KSPWBSP!tr
AVG (18.4.3895.0) Detection: Win32:Malware-gen
Cybereason (1.2.27) Detection: malicious.62d7c9
Paloalto (1.0) Detection: generic.ml
CrowdStrike (1.0) Detection: malicious_confidence_70% (D)
Qihoo-360 (1.0.0.1120) Detection: Win32/Trojan.d45 | — |
Comment
| Value | Description | Copy |
|---|---|---|
commentSnake | Cert-IST Attack Alias | |
commentUroburos | Cert-IST Attack Alias | |
commentVenomous Bear | Cert-IST Attack Alias | |
commentKRYPTON | Cert-IST Attack Alias | |
commentWaterbug | Cert-IST Attack Alias | |
commentWhiteBear | Cert-IST Attack Alias | |
commentthese IOCs originate in a report by ESET regarding the OUtlook backdoor used in an attack against European government institutions in 2016 and 2017.
The extremely stealthy Outlook backdoor receives commands by e-mail, and also exfiltrates data by e-mail via PDF attachments. To do this, it uses the legitimate Microsoft Outlook application installed on the infected computer. | Cert-IST Description | |
commentOutlook | Cert-IST Malware Name |
Target location
| Value | Description | Copy |
|---|---|---|
target-locationGermany | Cert-IST Targeted Country | |
target-locationFrance | Cert-IST Targeted Country |
Datetime
| Value | Description | Copy |
|---|---|---|
datetime2015-12-31T23:00:00+00:00 | Cert-IST First Seen Date | |
datetime2018-08-21T22:00:00+00:00 | Cert-IST First Disclosed Date | |
datetime2018-08-29T14:17:42 | — | |
datetime2018-08-30T05:52:57 | — | |
datetime2018-08-29T09:57:38 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash7009af646c6c3e6abc0af744152ca968 | — | |
hash8a7e2399a61ec025c15d06ecdd9b7b37d6245ec2 | — | |
hashe869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b | — | |
hashaf8889f4705145d4390ee8d581f45436 | — | |
hashcf943895684c6ff8d1e922a76b71a188cfb371d7 | — | |
hash6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f | — | |
hash851dffa6cd611dc70c9a0d5b487ff00bc3853f30 | — | |
hashff8c3f362d7c9b9a19cfa09b4b3cfc75 | — | |
hashf992abe8a67120667a01b88cd5bf11ca39d491a0 | — | |
hash881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867 | — |
Threat ID: 6854183733c7acc0460a88ba
Added to database: 6/19/2025, 2:01:27 PM
Last enriched: 7/9/2025, 1:54:56 PM
Last updated: 7/15/2025, 10:04:12 PM
Views: 16
Related Threats
Actions
PRO
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Please log in to the Console to use AI analysis features.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.