HyperStack

Malware updated 7 months ago (2024-05-04T19:19:37.950Z)

Download STIX

Preview STIX

HyperStack, also known as SilentMoo or BigBoss, is a Remote Procedure Call (RPC) backdoor malware that was first observed in 2018. It has been utilized in operations targeting European government entities and is linked to the Russian-based threat group Pensive Ursa, which has been operational since at least 2004. The malware exploits systems through suspicious downloads, emails, or websites, often without the user's knowledge, and once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. HyperStack creates a service for persistence and communicates over RPC with other infected machines within a compromised environment. The malware exhibits several similarities with Pensive Ursa’s Carbon backdoor, such as the encryption scheme, configuration file format, and logging convention. These resemblances suggest that updates to HyperStack found in September 2020 were inspired by Turla's other malware operations, potentially as a response to remediation activity taken by the victim. In addition to HyperStack, prevention and detection alerts have been raised for other malware types in Pensive Ursa's arsenal including Capibar, Kazuar, Snake, Kopiluwak, QUIETCANARY/Tunnus, Crutch, ComRAT, Carbon, and TinyTurla. To mitigate the threat of HyperStack, alongside Carbon and Kazuar, ACTI recommends checking network logs for indicators related to these backdoors. Alerts for HyperStack execution prevention and service creation for persistence have been displayed in Cortex XDR in detect mode. As HyperStack continues to evolve and pose significant threats, ongoing vigilance, robust cybersecurity measures, and regular system checks are crucial for preventing potential breaches and minimizing damage.

Description last updated: 2024-05-04T18:48:53.074Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Kazuar Malware is associated with HyperStack. Kazuar is a sophisticated multiplatform trojan horse malware that has been associated with the Russian-based threat group Turla, also known as Pensive Ursa, Uroburos, or Snake. This group, believed to be linked to the Russian Federal Security Service (FSB), has been operating since at least 2004 and	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Turla Threat Actor is associated with HyperStack. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (	Unspecified	2

Source Document References

Information about the HyperStack Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Preview	Source Link	CreatedAt	Title
	Unit42	a year ago	Threat Group Assessment: Turla (aka Pensive Ursa)
	MITRE	2 years ago	Turla/Belugasturgeon Compromises Government \| Accenture