turian (Malware Family)

turian

VTCollection

According to Mitre, Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.

References

2023-01-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
Chinese Playful Taurus Activity in Iran
turian

2022-06-01 ⋅ Fortinet ⋅ Fred Gutierrez, James Slaughter, Shunichi Imano
CVE-2022-30190: Microsoft Support Diagnostic Tool (MSDT) RCE Vulnerability “Follina”
turian

2021-06-10 ⋅ ESET Research ⋅ Adam Burgher
BackdoorDiplomacy: Upgrading from Quarian to Turian
CHINACHOPPER DoublePulsar EternalRocks turian BackdoorDiplomacy

Yara Rules

[TLP:WHITE] win_turian_auto (20260504 | Detects win.turian.)

rule win_turian_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.turian."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turian"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { a1???????? 8902 668b0d???????? 66894a04 8b8c2490000000 e8???????? 83f810 }
            // n = 7, score = 400
            //   a1????????           |                     
            //   8902                 | mov                 dword ptr [edx], eax
            //   668b0d????????       |                     
            //   66894a04             | mov                 word ptr [edx + 4], cx
            //   8b8c2490000000       | mov                 ecx, dword ptr [esp + 0x90]
            //   e8????????           |                     
            //   83f810               | cmp                 eax, 0x10

        $sequence_1 = { 881d???????? 891d???????? 66a3???????? 5b c3 6a3f 50 }
            // n = 7, score = 400
            //   881d????????         |                     
            //   891d????????         |                     
            //   66a3????????         |                     
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   6a3f                 | push                0x3f
            //   50                   | push                eax

        $sequence_2 = { 52 ffd5 85c0 7423 a1???????? 43 }
            // n = 6, score = 400
            //   52                   | push                edx
            //   ffd5                 | call                ebp
            //   85c0                 | test                eax, eax
            //   7423                 | je                  0x25
            //   a1????????           |                     
            //   43                   | inc                 ebx

        $sequence_3 = { c3 8d542410 6a10 52 8bce }
            // n = 5, score = 400
            //   c3                   | ret                 
            //   8d542410             | lea                 edx, [esp + 0x10]
            //   6a10                 | push                0x10
            //   52                   | push                edx
            //   8bce                 | mov                 ecx, esi

        $sequence_4 = { 51 ffd7 8b542414 52 ffd7 8b3d???????? }
            // n = 6, score = 400
            //   51                   | push                ecx
            //   ffd7                 | call                edi
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   52                   | push                edx
            //   ffd7                 | call                edi
            //   8b3d????????         |                     

        $sequence_5 = { 85c0 0f840affffff 5f 5e 5d 33c0 }
            // n = 6, score = 400
            //   85c0                 | test                eax, eax
            //   0f840affffff         | je                  0xffffff10
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   33c0                 | xor                 eax, eax

        $sequence_6 = { e8???????? 83f810 7e7c 6a00 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   83f810               | cmp                 eax, 0x10
            //   7e7c                 | jle                 0x7e
            //   6a00                 | push                0

        $sequence_7 = { c1e902 f3a5 8bc8 33c0 83e103 8d542456 f3a4 }
            // n = 7, score = 400
            //   c1e902               | shr                 ecx, 2
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bc8                 | mov                 ecx, eax
            //   33c0                 | xor                 eax, eax
            //   83e103               | and                 ecx, 3
            //   8d542456             | lea                 edx, [esp + 0x56]
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]

        $sequence_8 = { 7353 a1???????? 85c0 754a 6809380000 56 }
            // n = 6, score = 400
            //   7353                 | jae                 0x55
            //   a1????????           |                     
            //   85c0                 | test                eax, eax
            //   754a                 | jne                 0x4c
            //   6809380000           | push                0x3809
            //   56                   | push                esi

        $sequence_9 = { 81c49c000000 c3 c60000 40 50 ff15???????? }
            // n = 6, score = 400
            //   81c49c000000         | add                 esp, 0x9c
            //   c3                   | ret                 
            //   c60000               | mov                 byte ptr [eax], 0
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 645120
}

Download all Yara Rules

turian Propose Change

References

Yara Rules

turian