Epic Backdoor
Epic is a backdoor created by the Turla advanced persistent threat group for use as a primary stage in their campaigns
Turla, also known as Snake or Uroburos is one of the most sophisticated ongoing cyber-espionage campaigns.
Turla use a variety of vectors to deliver Epic, including:
- Spear-phishing e-mails with Adobe PDF exploits (CVE-2013-3346 + CVE-2013-5065)
- Social engineering to trick the user into running malware installers with “.SCR” extension, sometimes packed with RAR
- Watering hole attacks using Java exploits (CVE-2012-1723), Adobe Flash exploits (unknown) or Internet Explorer 6, 7, 8 exploits (unknown)
- Watering hole attacks that rely on social engineering to trick the user into running fake “Flash Player” malware installers
Once Epic is installed it will initiate communications with Turla’s command and control infrastructure before transmitting system and user information to the group. They will then use that information to determine what malware to install on the device via Epic.
Once the user is infected, the Epic backdoor immediately connects to the command-and-control (C&C) server to send a pack with the victim’s system information. The backdoor is also known as “WorldCupSec”, “TadjMakhal”, “Wipbot” or “Tadvig”.
Once a system is compromised, the attackers receive brief summary information from the victim, and based on that, they deliver pre-configured batch files containing a series of commands for execution. In addition to these, the attackers upload custom lateral movement tools. These include a specific keylogger tool, a RAR archiver and standard utilities like a DNS query tool from Microsoft.
For further information
IOC (Indicators of compromise)
IP Addresses
| 1[.]20[.]24[.]25 |
| 112[.]207[.]24[.]92 |
| 140[.]138[.]145[.]182 |
| 140[.]138[.]145[.]55 |
| 140[.]138[.]145[.]74 |
| 140[.]138[.]146[.]151 |
| 140[.]138[.]147[.]47 |
| 140[.]138[.]148[.]115 |
| 140[.]138[.]148[.]131 |
| 140[.]138[.]148[.]148 |
| 140[.]138[.]149[.]10 |
| 140[.]138[.]149[.]55 |
| 140[.]138[.]149[.]60 |
| 140[.]138[.]149[.]82 |
| 140[.]138[.]149[.]88 |
| 140[.]138[.]149[.]98 |
| 140[.]138[.]153[.]220 |
| 140[.]138[.]173[.]200 |
| 140[.]138[.]2[.]235 |
| 140[.]138[.]238[.]42 |
| 140[.]138[.]240[.]15 |
| 140[.]138[.]240[.]162 |
| 140[.]138[.]241[.]118 |
| 140[.]138[.]241[.]150 |
| 140[.]138[.]241[.]241 |
| 140[.]138[.]241[.]46 |
| 140[.]138[.]243[.]105 |
| 140[.]138[.]243[.]15 |
| 140[.]138[.]243[.]199 |
| 140[.]138[.]246[.]176 |
| 140[.]138[.]247[.]207 |
| 140[.]138[.]248[.]102 |
| 140[.]138[.]3[.]228 |
| 140[.]138[.]3[.]230 |
| 140[.]138[.]3[.]233 |
| 140[.]138[.]5[.]192 |
| 140[.]138[.]5[.]193 |
| 140[.]138[.]5[.]229 |
| 140[.]140[.]140[.]140 |
| 140[.]17[.]185[.]19 |
| 140[.]26[.]153[.]26 |
| 140[.]35[.]153[.]46 |
| 140[.]92[.]12[.]121 |
| 140[.]92[.]12[.]58 |
| 140[.]92[.]145[.]19 |
| 150[.]203[.]24[.]2 |
| 169[.]255[.]137[.]203 |
| 176[.]221[.]121[.]164 |
| 18[.]0[.]1[.]6 |
| 195[.]251[.]32[.]62 |
| 203[.]117[.]122[.]51 |
| 209[.]239[.]115[.]9 |
| 209[.]239[.]115[.]91 |
| 209[.]239[.]79[.]121 |
| 209[.]239[.]79[.]125 |
| 209[.]239[.]79[.]15 |
| 209[.]239[.]79[.]152 |
| 209[.]239[.]79[.]33 |
| 209[.]239[.]79[.]35 |
| 209[.]239[.]79[.]47 |
| 209[.]239[.]79[.]52 |
| 209[.]239[.]79[.]55 |
| 209[.]239[.]79[.]69 |
| 209[.]239[.]82[.]7 |
| 209[.]239[.]85[.]240 |
| 209[.]239[.]89[.]100 |
| 217[.]171[.]86[.]137 |
| 217[.]194[.]150[.]31 |
| 217[.]20[.]242[.]22 |
| 217[.]20[.]243[.]37 |
| 23[.]66[.]164[.]226 |
| 3[.]1[.]2[.]3 |
| 41[.]190[.]233[.]29 |
| 62[.]243[.]189[.]187 |
| 62[.]243[.]189[.]215 |
| 62[.]243[.]189[.]231 |
| 64[.]229[.]80[.]91 |
| 67[.]212[.]81[.]67 |
| 70[.]32[.]39[.]219 |
| 77[.]246[.]71[.]10 |
| 77[.]246[.]76[.]19 |
| 77[.]73[.]187[.]223 |
| 80[.]152[.]223[.]171 |
| 80[.]248[.]65[.]183 |
| 82[.]146[.]166[.]56 |
| 82[.]146[.]166[.]62 |
| 82[.]146[.]174[.]58 |
| 82[.]146[.]175[.]43 |
| 83[.]229[.]87[.]11 |
| 84[.]11[.]79[.]6 |
| 92[.]62[.]218[.]99 |
| 92[.]62[.]219[.]172 |
| 92[.]62[.]220[.]170 |
| 92[.]62[.]221[.]30 |
| 92[.]62[.]221[.]38 |
Domain Names
Please note the sites highlighted in RED are popular sites and should not really be blocked.
.onion is a top-level domain suffix that is specially used as an anonymous hidden service and can be accessed through the Tor network.
| 25u[.]com |
| 2shared[.]com |
| 2weedyrekmapdyux[.]onion |
| 35oo6ubr4uj2xcbj[.]onion |
| 4dq[.]com |
| 4shared[.]com |
| 5h5ps743nnqsjq4l[.]onion |
| 7ep7acrfz3ea32so[.]onion |
| abot[.]com |
| afalrbbcbejzhptv[.]onion |
| bajalamusica[.]blogspot[.]com |
| bat[.]bingo |
| bat[.]swiss |
| blkbook3fxhcsn3u[.]onion |
| box[.]net |
| chickenkiller[.]com |
| crabdance[.]com |
| deepdotrrxo4bx2g[.]onion |
| depositfiles[.]com |
| divx[.]com |
| eaal5rv4wxox5g5s[.]onion |
| easy-share[.]com |
| eavlyseefrrrrrrr[.]onion |
| empiremktxgjovhm[.]onion |
| ezcrypt2dgcicxqj[.]onion |
| ezua[.]com |
| facebookcorewwwi[.]onion |
| faqserv[.]com |
| ffc53e6cnzs7huej[.]onion |
| flhqhmu35gsthcsj[.]onion |
| flugforumpwzz3wq[.]onion |
| forum[.]sytes[.]net |
| fubmhhm7j6esuprg[.]onion |
| gdata[.]de |
| got-game[.]org |
| grams7enqfy4nieo[.]onion |
| hockey-news[.]servehttp[.]com |
| hotmail[.]co[.]uk |
| hotmail[.]com |
| iaea[.]org |
| ignorelist[.]com |
| instanthq[.]com |
| k6h5cwmaidpeutza[.]onion |
| krqewwmhtsqkne7d[.]onion |
| lcrgwum4luxryiyi[.]onion |
| lcwi5apssa3ofa6h[.]onion |
| leagueoflegends[.]servequake[.]com |
| lfy3lkc53rtbwdw6[.]onion |
| linkpc[.]net |
| mabinogiworld[.]com |
| mail[.]ru |
| marketplace[.]servehttp[.]com |
| micambobufwdjtjw[.]onion |
| minitheatre[.]org |
| mooo[.]com |
| msn[.]com |
| music-world[.]servemp3[.]com |
| myre5ztjxe4n2dg4[.]onion |
| news-bbc[.]podzone[.]org |
| newutils[.]3utilities[.]com |
| nhl-blog[.]servegame[.]com |
| nrlsyharzv4ycjay[.]onion |
| nytimes3xbfgragh[.]onion |
| ocry[.]com |
| oeeainwwu7thl47r[.]onion |
| owz4sj6qk7is5omt[.]onion |
| pissyv4c2xfkeqzv[.]onion |
| pressforum[.]serveblog[.]net |
| private-download[.]net |
| publicvm[.]com |
| pvlxj2fcjzphk5go[.]onion |
| rapidshare[.]com |
| raw[.]githubusercontent[.]com |
| rohitab[.]com |
| sellclassics[.]com |
| share-online[.]biz |
| shopcc55a5caqsr2[.]onion |
| skrrrrt7sqfmj46r[.]onion |
| telnet[.]pl |
| threads[.]com |
| toh[.]info |
| torvps7kzis5ujfz[.]onion |
| travelclothes[.]org |
| tssa3saypkimmkcy[.]onion |
| tumbachegvyaadyq[.]onion |
| turbobit[.]net |
| ukcetcrsljszswdr[.]onion |
| uploaded[.]net |
| uploading[.]com |
| uu5viqx5d3nkhhl4[.]onion |
| vcip[.]net |
| vqldzpoolgporzdg[.]onion |
| wcrxsawf3h6ptter[.]onion |
| win32[.]turla[.]ck |
| wisebodyasltpgf3[.]onion |
| xvp2vy5iwzmeam5e[.]onion |
| yandex[.]ru |
| ycau2biripxexpdz[.]onion |
| zippyshare[.]com |
| zlibraryexau2g3p[.]onion |
Email Addresses
| 994329@lemonlink[.]net |
| [ANYNAME]@mohamedsayedsa[.]rar |
| adski123@hotmail[.]com |
| are_you_impressed@hotmail[.]com |
| arnabsempire@hotmail[.]com |
| badboyjoe@sbcglobal[.]net |
| balls418@hotmail[.]com |
| bettenhausen@hotmail[.]com |
| biankab01@yahoo[.]com |
| bigmitch@eatel[.]net |
| bon_dimapilis@yahoo[.]com |
| bsbise@yahoo[.]com |
| butnugget101@hotmail[.]co[.]uk |
| carl_james_950@hotmail[.]com |
| caseybudney@hotmail[.]com |
| catacomb_crawler@hotmail[.]co[.]uk |
| chasity20102003@yahoo[.]com |
| chel2798409@aol[.]com |
| corson@hotmail[.]com |
| crazzyleggs@hotmail[.]com |
| cuddlysiana@yahoo[.]com |
| david@southcote[.]net |
| dcoderz@hotmail[.]com |
| debby1166@yahoo[.]com |
| dkh1963@yahoo[.]com |
| dkh@texas[.]net |
| dnetman_one@yahoo[.]com |
| dog@supanet[.]com |
| doug6015@charter[.]net |
| dragonflyj@hotmail[.]com |
| eskarina@dreamlandpark[.]com |
| gonzaloj@inicia[.]es |
| goody2wifeca@yahoo[.]ca |
| guguko@hotmail[.]com[.]br |
| hellodeadman9@yahoo[.]co[.]in |
| hotshot01@yahoo[.]com |
| intelligence@gdata[.]de |
| jamcomj@yahoo[.]com |
| jcwaugh@mindspring[.]com |
| jelle[.]emke@wxs[.]nl |
| jepoy_182_2004@yahoo[.]com |
| jheaton@heatonresearch[.]com |
| jmista1@hotmail[.]co[.]uk |
| johnmryan62@hotmail[.]com |
| joszua_fliped@yahoo[.]com |
| jprtech@yahoo[.]com |
| kdogg52@netscape[.]net |
| killa_mv@hotmail[.]com |
| kisgadanyi@citromail[.]hu |
| kodo@vol[.]at |
| kubo45@post[.]sk |
| leanne@southcote[.]net |
| lil_crazykid_06@hotmail[.]com |
| lincy_222@hotmail[.]com |
| losttear377@yahoo[.]com |
| luc[.]pierre[.]garcia@live[.]fr |
| m-xian@care2[.]com |
| m_tameem_safi@hotmail[.]co[.]uk |
| maryjade2004@msn[.]com |
| mattpatt13000@yahoo[.]com |
| max890@hotmail[.]co[.]uk |
| mclymontkids@hotmail[.]com |
| melinx@telus[.]net |
| mexmap2525@aim[.]com |
| mfateem@hotmail[.]com |
| mordizer@mordspace[.]net |
| msmckinney@mindspring[.]com |
| mursyidux@yahoo[.]com |
| naughtygirl0116@aol[.]com |
| neonmasda@gmail[.]com |
| nguyentan_tr@yahoo[.]com |
| nordinabdullah@yahoo[.]com |
| oktanis@hotmail[.]com |
| pareekshikha@gmail[.]com |
| parsnip_1@hotmail[.]com |
| pbruzaca@iurdma[.]com[.]br |
| pogi_james_17@yahoo[.]com |
| prince_of_pueblo@yahoo[.]com |
| ps2junky@charter[.]net |
| r_balanghig@yahoo[.]ca |
| ramiruth@aol[.]com |
| ranjith@animationtoday[.]net |
| razglaz@yandex[.]ru |
| res1tgco@verizon[.]net |
| roboboy6000@aol[.]com |
| slzaz@shaw[.]ca |
| sodhiaman013@rediffmail[.]com |
| strykertffd@hotmail[.]com |
| subway_lady@hotmail[.]com |
| suchitra_shetty80@yahoo[.]com |
| superzhyang@yahoo[.]com[.]cn |
| tameemsafi@hotmail[.]co[.]uk |
| tinkstarette@aol[.]com |
| viperfire523@yahoo[.]com |
| wanstedt@telia[.]com |
| wildanimal_223@yahoo[.]com |
| wish_rian@hotmail[.]com |
| your_mum_loves_me_3110@hotmail[.]com |
| z-reiner@web[.]de |
| z[.]rehman315@gmail[.]com |
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.