We have developed TIPpers, which are incidents the ThreatConnect Research team flags for your awareness, so your organization can take decisive action.
TIPper: Update to 20160114C – Malicious DLL and Satellite Infrastructure
This incident was previously tipped on 27 January 2016. ThreatConnect now has moderate confidence this malware is associated to the Russian “Turla” Advanced Persistent Threat (APT) group and has identified additional command and control (C2) nodes.
ThreatConnect previously identified a malicious DLL that connects to two hardcoded C2 domains calling back to infrastructure hosted by a satellite provider in Africa. The Russian “Turla” state-sponsored actor has leveraged this provider previously for C2, leading us to suspect the malware was tied to the Turla APT. ThreatConnect now assesses with moderate confidence the malware is associated to the Turla APT due to additional overlaps with known Turla infrastructure. Additional details including file hashes, C2 domains, IP addresses, and Snort rules can be found in ThreatConnect in the Subscriber Community.
For additional details, current ThreatConnect users can access this incident by selecting this LINK or search for incident “20160114C” in the ThreatConnect Platform.
If you do not have a ThreatConnect account, click HERE to access our Free Edition as well as 30-day access to our Subscriber Community. ThreatConnect’s Free Edition allows you to establish a basic threat intelligence practice, collaborate with your internal team, protect your organization with open source threat data, bulk import cyberthreat indicators, contribute to the ThreatConnect Community, and receive support and validation from outside researchers and analysts also using the platform. The Subscriber Community includes timely notification of threat incidents identified by the ThreatConnect Research team, an exclusive service offered at no additional charge to paying customers.