Epic Backdoor

Epic is a backdoor created by the Turla advanced persistent threat group for use as a primary stage in their campaigns

Turla, also known as Snake or Uroburos is one of the most sophisticated ongoing cyber-espionage campaigns.

Turla use a variety of vectors to deliver Epic, including:

  • Spear-phishing e-mails with Adobe PDF exploits (CVE-2013-3346 + CVE-2013-5065)
  • Social engineering to trick the user into running malware installers with “.SCR” extension, sometimes packed with RAR
  • Watering hole attacks using Java exploits (CVE-2012-1723), Adobe Flash exploits (unknown) or Internet Explorer 6, 7, 8 exploits (unknown)
  • Watering hole attacks that rely on social engineering to trick the user into running fake “Flash Player” malware installers

Once Epic is installed it will initiate communications with Turla’s command and control infrastructure before transmitting system and user information to the group. They will then use that information to determine what malware to install on the device via Epic.

Once the user is infected, the Epic backdoor immediately connects to the command-and-control (C&C) server to send a pack with the victim’s system information. The backdoor is also known as “WorldCupSec”, “TadjMakhal”, “Wipbot” or “Tadvig”.

Once a system is compromised, the attackers receive brief summary information from the victim, and based on that, they deliver pre-configured batch files containing a series of commands for execution. In addition to these, the attackers upload custom lateral movement tools. These include a specific keylogger tool, a RAR archiver and standard utilities like a DNS query tool from Microsoft.

For further information

IOC (Indicators of compromise)

IP Addresses

1[.]20[.]24[.]25
112[.]207[.]24[.]92
140[.]138[.]145[.]182
140[.]138[.]145[.]55
140[.]138[.]145[.]74
140[.]138[.]146[.]151
140[.]138[.]147[.]47
140[.]138[.]148[.]115
140[.]138[.]148[.]131
140[.]138[.]148[.]148
140[.]138[.]149[.]10
140[.]138[.]149[.]55
140[.]138[.]149[.]60
140[.]138[.]149[.]82
140[.]138[.]149[.]88
140[.]138[.]149[.]98
140[.]138[.]153[.]220
140[.]138[.]173[.]200
140[.]138[.]2[.]235
140[.]138[.]238[.]42
140[.]138[.]240[.]15
140[.]138[.]240[.]162
140[.]138[.]241[.]118
140[.]138[.]241[.]150
140[.]138[.]241[.]241
140[.]138[.]241[.]46
140[.]138[.]243[.]105
140[.]138[.]243[.]15
140[.]138[.]243[.]199
140[.]138[.]246[.]176
140[.]138[.]247[.]207
140[.]138[.]248[.]102
140[.]138[.]3[.]228
140[.]138[.]3[.]230
140[.]138[.]3[.]233
140[.]138[.]5[.]192
140[.]138[.]5[.]193
140[.]138[.]5[.]229
140[.]140[.]140[.]140
140[.]17[.]185[.]19
140[.]26[.]153[.]26
140[.]35[.]153[.]46
140[.]92[.]12[.]121
140[.]92[.]12[.]58
140[.]92[.]145[.]19
150[.]203[.]24[.]2
169[.]255[.]137[.]203
176[.]221[.]121[.]164
18[.]0[.]1[.]6
195[.]251[.]32[.]62
203[.]117[.]122[.]51
209[.]239[.]115[.]9
209[.]239[.]115[.]91
209[.]239[.]79[.]121
209[.]239[.]79[.]125
209[.]239[.]79[.]15
209[.]239[.]79[.]152
209[.]239[.]79[.]33
209[.]239[.]79[.]35
209[.]239[.]79[.]47
209[.]239[.]79[.]52
209[.]239[.]79[.]55
209[.]239[.]79[.]69
209[.]239[.]82[.]7
209[.]239[.]85[.]240
209[.]239[.]89[.]100
217[.]171[.]86[.]137
217[.]194[.]150[.]31
217[.]20[.]242[.]22
217[.]20[.]243[.]37
23[.]66[.]164[.]226
3[.]1[.]2[.]3
41[.]190[.]233[.]29
62[.]243[.]189[.]187
62[.]243[.]189[.]215
62[.]243[.]189[.]231
64[.]229[.]80[.]91
67[.]212[.]81[.]67
70[.]32[.]39[.]219
77[.]246[.]71[.]10
77[.]246[.]76[.]19
77[.]73[.]187[.]223
80[.]152[.]223[.]171
80[.]248[.]65[.]183
82[.]146[.]166[.]56
82[.]146[.]166[.]62
82[.]146[.]174[.]58
82[.]146[.]175[.]43
83[.]229[.]87[.]11
84[.]11[.]79[.]6
92[.]62[.]218[.]99
92[.]62[.]219[.]172
92[.]62[.]220[.]170
92[.]62[.]221[.]30
92[.]62[.]221[.]38





Domain Names

Please note the sites highlighted in RED are popular sites and should not really be blocked.

.onion is a top-level domain suffix that is specially used as an anonymous hidden service and can be accessed through the Tor network.

25u[.]com
2shared[.]com
2weedyrekmapdyux[.]onion
35oo6ubr4uj2xcbj[.]onion
4dq[.]com
4shared[.]com
5h5ps743nnqsjq4l[.]onion
7ep7acrfz3ea32so[.]onion
abot[.]com
afalrbbcbejzhptv[.]onion
bajalamusica[.]blogspot[.]com
bat[.]bingo
bat[.]swiss
blkbook3fxhcsn3u[.]onion
box[.]net
chickenkiller[.]com
crabdance[.]com
deepdotrrxo4bx2g[.]onion
depositfiles[.]com
divx[.]com
eaal5rv4wxox5g5s[.]onion
easy-share[.]com
eavlyseefrrrrrrr[.]onion
empiremktxgjovhm[.]onion
ezcrypt2dgcicxqj[.]onion
ezua[.]com
facebookcorewwwi[.]onion
faqserv[.]com
ffc53e6cnzs7huej[.]onion
flhqhmu35gsthcsj[.]onion
flugforumpwzz3wq[.]onion
forum[.]sytes[.]net
fubmhhm7j6esuprg[.]onion
gdata[.]de
got-game[.]org
grams7enqfy4nieo[.]onion
hockey-news[.]servehttp[.]com
hotmail[.]co[.]uk
hotmail[.]com
iaea[.]org
ignorelist[.]com
instanthq[.]com
k6h5cwmaidpeutza[.]onion
krqewwmhtsqkne7d[.]onion
lcrgwum4luxryiyi[.]onion
lcwi5apssa3ofa6h[.]onion
leagueoflegends[.]servequake[.]com
lfy3lkc53rtbwdw6[.]onion
linkpc[.]net
mabinogiworld[.]com
mail[.]ru
marketplace[.]servehttp[.]com
micambobufwdjtjw[.]onion
minitheatre[.]org
mooo[.]com
msn[.]com
music-world[.]servemp3[.]com
myre5ztjxe4n2dg4[.]onion
news-bbc[.]podzone[.]org
newutils[.]3utilities[.]com
nhl-blog[.]servegame[.]com
nrlsyharzv4ycjay[.]onion
nytimes3xbfgragh[.]onion
ocry[.]com
oeeainwwu7thl47r[.]onion
owz4sj6qk7is5omt[.]onion
pissyv4c2xfkeqzv[.]onion
pressforum[.]serveblog[.]net
private-download[.]net
publicvm[.]com
pvlxj2fcjzphk5go[.]onion
rapidshare[.]com
raw[.]githubusercontent[.]com
rohitab[.]com
sellclassics[.]com
share-online[.]biz
shopcc55a5caqsr2[.]onion
skrrrrt7sqfmj46r[.]onion
telnet[.]pl
threads[.]com
toh[.]info
torvps7kzis5ujfz[.]onion
travelclothes[.]org
tssa3saypkimmkcy[.]onion
tumbachegvyaadyq[.]onion
turbobit[.]net
ukcetcrsljszswdr[.]onion
uploaded[.]net
uploading[.]com
uu5viqx5d3nkhhl4[.]onion
vcip[.]net
vqldzpoolgporzdg[.]onion
wcrxsawf3h6ptter[.]onion
win32[.]turla[.]ck
wisebodyasltpgf3[.]onion
xvp2vy5iwzmeam5e[.]onion
yandex[.]ru
ycau2biripxexpdz[.]onion
zippyshare[.]com
zlibraryexau2g3p[.]onion

Email Addresses

[email protected][.]net
[ANYNAME]@mohamedsayedsa[.]rar
[email protected][.]com
[email protected][.]com
arn[email protected][.]com
[email protected][.]net
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]net
[email protected][.]com
[email protected][.]com
[email protected][.]co[.]uk
[email protected][.]com
[email protected][.]com
[email protected][.]co[.]uk
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]net
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]net
[email protected][.]com
[email protected][.]com
[email protected][.]net
[email protected][.]com
[email protected][.]com
[email protected][.]es
[email protected][.]ca
[email protected][.]com[.]br
[email protected][.]co[.]in
[email protected][.]com
[email protected][.]de
[email protected][.]com
[email protected][.]com
jelle[.][email protected][.]nl
[email protected][.]com
[email protected][.]com
[email protected][.]co[.]uk
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]net
[email protected][.]com
[email protected][.]hu
[email protected][.]at
[email protected][.]sk
[email protected][.]net
[email protected][.]com
[email protected][.]com
[email protected][.]com
luc[.]pierre[.][email protected][.]fr
[email protected][.]com
[email protected][.]co[.]uk
[email protected][.]com
[email protected][.]com
[email protected][.]co[.]uk
[email protected][.]com
[email protected][.]net
[email protected][.]com
[email protected][.]com
[email protected][.]net
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]com[.]br
[email protected][.]com
[email protected][.]com
[email protected][.]net
[email protected][.]ca
[email protected][.]com
[email protected][.]net
[email protected][.]ru
[email protected][.]net
[email protected][.]com
[email protected][.]ca
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]com[.]cn
[email protected][.]co[.]uk
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]com
[email protected][.]de
z[.][email protected][.]com




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: