SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turian (Back to overview)

turian

VTCollection    

According to Mitre, Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.

References
2023-01-18Palo Alto Networks Unit 42Unit42
Chinese Playful Taurus Activity in Iran
turian
2022-06-01FortinetFred Gutierrez, James Slaughter, Shunichi Imano
CVE-2022-30190: Microsoft Support Diagnostic Tool (MSDT) RCE Vulnerability “Follina”
turian
2021-06-10ESET ResearchAdam Burgher
BackdoorDiplomacy: Upgrading from Quarian to Turian
CHINACHOPPER DoublePulsar EternalRocks turian BackdoorDiplomacy
Yara Rules
[TLP:WHITE] win_turian_auto (20230808 | Detects win.turian.)
rule win_turian_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.turian."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turian"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 ff15???????? 89450c 8bf8 33c0 }
            // n = 5, score = 400
            //   50                   | push                eax
            //   ff15????????         |                     
            //   89450c               | mov                 dword ptr [ebp + 0xc], eax
            //   8bf8                 | mov                 edi, eax
            //   33c0                 | xor                 eax, eax

        $sequence_1 = { e8???????? 83c404 85c0 740d 8d4c2410 51 }
            // n = 6, score = 400
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   8d4c2410             | lea                 ecx, [esp + 0x10]
            //   51                   | push                ecx

        $sequence_2 = { ffd7 8b3d???????? 53 ffd7 56 ffd7 83c408 }
            // n = 7, score = 400
            //   ffd7                 | call                edi
            //   8b3d????????         |                     
            //   53                   | push                ebx
            //   ffd7                 | call                edi
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   83c408               | add                 esp, 8

        $sequence_3 = { 81ec88000000 53 55 56 57 b921000000 33c0 }
            // n = 7, score = 400
            //   81ec88000000         | sub                 esp, 0x88
            //   53                   | push                ebx
            //   55                   | push                ebp
            //   56                   | push                esi
            //   57                   | push                edi
            //   b921000000           | mov                 ecx, 0x21
            //   33c0                 | xor                 eax, eax

        $sequence_4 = { 85c0 750a 5f 5e 5d 81c49c000000 c3 }
            // n = 7, score = 400
            //   85c0                 | test                eax, eax
            //   750a                 | jne                 0xc
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   81c49c000000         | add                 esp, 0x9c
            //   c3                   | ret                 

        $sequence_5 = { 729b 53 ff15???????? 83c404 a1???????? 85c0 750f }
            // n = 7, score = 400
            //   729b                 | jb                  0xffffff9d
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   750f                 | jne                 0x11

        $sequence_6 = { 72ba 68???????? ff15???????? 5f 5e 5d 83c8ff }
            // n = 7, score = 400
            //   72ba                 | jb                  0xffffffbc
            //   68????????           |                     
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   83c8ff               | or                  eax, 0xffffffff

        $sequence_7 = { 66a3???????? 5b c3 6a3f 50 }
            // n = 5, score = 400
            //   66a3????????         |                     
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   6a3f                 | push                0x3f
            //   50                   | push                eax

        $sequence_8 = { 7403 c60000 68???????? 56 ffd7 85c0 }
            // n = 6, score = 400
            //   7403                 | je                  5
            //   c60000               | mov                 byte ptr [eax], 0
            //   68????????           |                     
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax

        $sequence_9 = { ffd5 85c0 750e 8d4f46 8d5642 }
            // n = 5, score = 400
            //   ffd5                 | call                ebp
            //   85c0                 | test                eax, eax
            //   750e                 | jne                 0x10
            //   8d4f46               | lea                 ecx, [edi + 0x46]
            //   8d5642               | lea                 edx, [esi + 0x42]

    condition:
        7 of them and filesize < 645120
}
Download all Yara Rules