SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tiny_turla (Back to overview)

TinyTurla

Actor(s): Turla Group


Talos describes this as a malware family with very scoped functionality and thus a small code footprint, likely used as a second chance backdoor.

References
2022-03-28Cyber Geeks (CyberMasterV)Vlad Pasca
@online{pasca:20220328:stepbystep:7d92613, author = {Vlad Pasca}, title = {{A Step-by-Step Analysis of the Russian APT Turla Backdoor called TinyTurla}}, date = {2022-03-28}, organization = {Cyber Geeks (CyberMasterV)}, url = {https://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/}, language = {English}, urldate = {2022-03-29} } A Step-by-Step Analysis of the Russian APT Turla Backdoor called TinyTurla
TinyTurla
2021-09-21Talos IntelligenceTalos
@online{talos:20210921:tinyturla:c5f6f90, author = {Talos}, title = {{TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines}}, date = {2021-09-21}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2021/09/tinyturla.html}, language = {English}, urldate = {2021-09-22} } TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines
TinyTurla
Yara Rules
[TLP:WHITE] win_tiny_turla_auto (20221125 | Detects win.tiny_turla.)
rule win_tiny_turla_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.tiny_turla."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiny_turla"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 85c0 7516 4533ed bb0b000000 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   7516                 | mov                 esi, eax
            //   4533ed               | dec                 eax
            //   bb0b000000           | mov                 dword ptr [esp + 0x20], edi

        $sequence_1 = { 4c89642430 c744242800000008 c744242001000000 c744247068000000 c78424ac00000001010000 664489a424b0000000 }
            // n = 6, score = 100
            //   4c89642430           | dec                 eax
            //   c744242800000008     | mov                 edx, esi
            //   c744242001000000     | dec                 ecx
            //   c744247068000000     | mov                 eax, dword ptr [edi]
            //   c78424ac00000001010000     | mov    byte ptr [eax + 1], bl
            //   664489a424b0000000     | dec    ecx

        $sequence_2 = { 488bcf e8???????? 4533ed bb0b000000 }
            // n = 4, score = 100
            //   488bcf               | lea                 edx, [0xffffffe0]
            //   e8????????           |                     
            //   4533ed               | dec                 eax
            //   bb0b000000           | mov                 ecx, ebx

        $sequence_3 = { 0f84c4feffff 8bc8 e8???????? 498906 488bcb 4885c0 }
            // n = 6, score = 100
            //   0f84c4feffff         | dec                 eax
            //   8bc8                 | mov                 eax, dword ptr [esi + 0x18]
            //   e8????????           |                     
            //   498906               | dec                 eax
            //   488bcb               | add                 ecx, ecx
            //   4885c0               | movups              xmm0, xmmword ptr [eax + ecx*8]

        $sequence_4 = { 8d4201 48890cde 488b4c2420 498b37 488b0cc1 e8???????? ffc7 }
            // n = 7, score = 100
            //   8d4201               | jb                  0xa24
            //   48890cde             | dec                 eax
            //   488b4c2420           | lea                 ebx, [esi + 0x18]
            //   498b37               | dec                 eax
            //   488b0cc1             | mov                 ecx, ebx
            //   e8????????           |                     
            //   ffc7                 | dec                 esp

        $sequence_5 = { 4883ec38 4c8bfa 4d8bf0 488d542468 }
            // n = 4, score = 100
            //   4883ec38             | inc                 ecx
            //   4c8bfa               | lea                 eax, [eax + edi]
            //   4d8bf0               | inc                 esp
            //   488d542468           | mov                 eax, dword ptr [ebp + 0x48]

        $sequence_6 = { ff15???????? b005 e9???????? 8b0f 85c9 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   b005                 | dec                 eax
            //   e9????????           |                     
            //   8b0f                 | mov                 ecx, ebx
            //   85c9                 | dec                 eax

        $sequence_7 = { 0f8486000000 448b7567 41d1ee 418bce }
            // n = 4, score = 100
            //   0f8486000000         | mov                 edi, eax
            //   448b7567             | je                  0xffffff57
            //   41d1ee               | xor                 edx, edx
            //   418bce               | dec                 eax

        $sequence_8 = { 7507 b306 e9???????? 442bf6 4c896c2420 }
            // n = 5, score = 100
            //   7507                 | shl                 ecx, 4
            //   b306                 | dec                 esp
            //   e9????????           |                     
            //   442bf6               | mov                 ebp, eax
            //   4c896c2420           | inc                 esp

        $sequence_9 = { 4803ca ffe1 488bcf e8???????? 413bc6 7407 }
            // n = 6, score = 100
            //   4803ca               | lea                 eax, [edx + 0x18]
            //   ffe1                 | dec                 eax
            //   488bcf               | lea                 eax, [ebp - 0x71]
            //   e8????????           |                     
            //   413bc6               | dec                 eax
            //   7407                 | lea                 ecx, [ebp - 0x60]

    condition:
        7 of them and filesize < 51200
}
Download all Yara Rules