SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turla_rpc (Back to overview)

TurlaRPC

Actor(s): Turla Group

There is no description at this point.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-19Palo Alto Networks Unit 42Dominik Reichel
@online{reichel:20210219:ironnetinjector:07c7f33, author = {Dominik Reichel}, title = {{IronNetInjector: Turla’s New Malware Loading Tool}}, date = {2021-02-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ironnetinjector/}, language = {English}, urldate = {2021-02-20} } IronNetInjector: Turla’s New Malware Loading Tool
Agent.BTZ TurlaRPC
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2019-05-29ESET ResearchMatthieu Faou, Romain Dumont
@online{faou:20190529:dive:3afd32e, author = {Matthieu Faou and Romain Dumont}, title = {{A dive into Turla PowerShell usage}}, date = {2019-05-29}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/}, language = {English}, urldate = {2019-11-14} } A dive into Turla PowerShell usage
PowerShellRunner TurlaRPC
Yara Rules
[TLP:WHITE] win_turla_rpc_auto (20220516 | Detects win.turla_rpc.)
rule win_turla_rpc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.turla_rpc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 660f6f05???????? 66c785ec0000000255 c785a0000000193a3431 c785a4000000193c3727 c785a800000034272c02 }
            // n = 5, score = 200
            //   660f6f05????????     |                     
            //   66c785ec0000000255     | mov    dword ptr [ebp + 0x118], 0x2630363a
            //   c785a0000000193a3431     | mov    word ptr [ebp + 0x11c], 0x226
            //   c785a4000000193c3727     | mov    byte ptr [ebp + 0x11e], 0x55
            //   c785a800000034272c02     | mov    dword ptr [ebp + 0x90], 0x34302716

        $sequence_1 = { 4885c0 744e 4c8b4708 488b17 488bcb }
            // n = 5, score = 200
            //   4885c0               | dec                 eax
            //   744e                 | test                eax, eax
            //   4c8b4708             | je                  0x50
            //   488b17               | dec                 esp
            //   488bcb               | mov                 eax, dword ptr [edi + 8]

        $sequence_2 = { 660f6f05???????? c7858000000012302101 c7858400000030382505 c7858800000034213d02 f30f7f8530010000 }
            // n = 5, score = 200
            //   660f6f05????????     |                     
            //   c7858000000012302101     | dec    eax
            //   c7858400000030382505     | mov    edx, dword ptr [edi]
            //   c7858800000034213d02     | dec    eax
            //   f30f7f8530010000     | mov                 ecx, ebx

        $sequence_3 = { c645bc55 c7854001000030163930 c78544010000343b2025 c6854801000055 c78560010000013c3830 c785640100003a202155 c785a8010000271c3367 }
            // n = 7, score = 200
            //   c645bc55             | mov                 byte ptr [ebp - 0x44], 0x55
            //   c7854001000030163930     | mov    dword ptr [ebp + 0x140], 0x30391630
            //   c78544010000343b2025     | mov    dword ptr [ebp + 0x144], 0x25203b34
            //   c6854801000055       | mov                 byte ptr [ebp + 0x148], 0x55
            //   c78560010000013c3830     | mov    dword ptr [ebp + 0x160], 0x30383c01
            //   c785640100003a202155     | mov    dword ptr [ebp + 0x164], 0x5521203a
            //   c785a8010000271c3367     | mov    dword ptr [ebp + 0x1a8], 0x67331c27

        $sequence_4 = { c745b06970746f c745b472536163 66c745b86c00 ff15???????? }
            // n = 4, score = 200
            //   c745b06970746f       | mov                 dword ptr [ebp - 0x50], 0x6f747069
            //   c745b472536163       | mov                 dword ptr [ebp - 0x4c], 0x63615372
            //   66c745b86c00         | mov                 word ptr [ebp - 0x48], 0x6c
            //   ff15????????         |                     

        $sequence_5 = { c785900100002130271c 66c785940100003355 c7857801000026302410 66c7857c0100002502 c6857e01000055 c7452038262336 }
            // n = 6, score = 200
            //   c785900100002130271c     | mov    dword ptr [ebp + 0x190], 0x1c273021
            //   66c785940100003355     | mov    word ptr [ebp + 0x194], 0x5533
            //   c7857801000026302410     | mov    dword ptr [ebp + 0x178], 0x10243026
            //   66c7857c0100002502     | mov    word ptr [ebp + 0x17c], 0x225
            //   c6857e01000055       | mov                 byte ptr [ebp + 0x17e], 0x55
            //   c7452038262336       | mov                 dword ptr [ebp + 0x20], 0x36232638

        $sequence_6 = { 66c745082133 c6450a55 c745980a22333a c7459c25303b55 }
            // n = 4, score = 200
            //   66c745082133         | mov                 dword ptr [ebp + 0xe0], 0x3213012
            //   c6450a55             | mov                 dword ptr [ebp + 0xe4], 0x3c262730
            //   c745980a22333a       | mov                 dword ptr [ebp + 0xe8], 0x2d103b3a
            //   c7459c25303b55       | movdqu              xmmword ptr [ebp + 0x1e0], xmm0

        $sequence_7 = { c7851001000016273034 c7851401000021300527 c785180100003a363026 66c7851c0100002602 c6851e01000055 c7859000000016273034 }
            // n = 6, score = 200
            //   c7851001000016273034     | mov    dword ptr [ebp + 0x80], 0x1213012
            //   c7851401000021300527     | mov    dword ptr [ebp + 0x84], 0x5253830
            //   c785180100003a363026     | mov    dword ptr [ebp + 0x88], 0x23d2134
            //   66c7851c0100002602     | movdqu    xmmword ptr [ebp + 0x130], xmm0
            //   c6851e01000055       | mov                 dword ptr [ebp + 0x110], 0x34302716
            //   c7859000000016273034     | mov    dword ptr [ebp + 0x114], 0x27053021

        $sequence_8 = { c785e000000012302103 c785e40000003027263c c785e80000003a3b102d f30f7f85e0010000 660f6f05???????? }
            // n = 5, score = 200
            //   c785e000000012302103     | mov    dword ptr [ebp + 0xe0], 0x3213012
            //   c785e40000003027263c     | mov    dword ptr [ebp + 0xe4], 0x3c262730
            //   c785e80000003a3b102d     | mov    dword ptr [ebp + 0xe8], 0x2d103b3a
            //   f30f7f85e0010000     | movdqu              xmmword ptr [ebp + 0x1e0], xmm0
            //   660f6f05????????     |                     

        $sequence_9 = { 83e11f c1e106 83c10c 8b0485d8860110 }
            // n = 4, score = 100
            //   83e11f               | and                 ecx, 0x1f
            //   c1e106               | shl                 ecx, 6
            //   83c10c               | add                 ecx, 0xc
            //   8b0485d8860110       | mov                 eax, dword ptr [eax*4 + 0x100186d8]

        $sequence_10 = { 40 83f80b 72f5 c78528feffff5f736e70 }
            // n = 4, score = 100
            //   40                   | inc                 eax
            //   83f80b               | cmp                 eax, 0xb
            //   72f5                 | jb                  0xfffffff7
            //   c78528feffff5f736e70     | mov    dword ptr [ebp - 0x1d8], 0x706e735f

        $sequence_11 = { 50 e8???????? 818da0fdffff01010000 0f57c0 33c0 c78574fdffff44000000 53 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   818da0fdffff01010000     | or    dword ptr [ebp - 0x260], 0x101
            //   0f57c0               | xorps               xmm0, xmm0
            //   33c0                 | xor                 eax, eax
            //   c78574fdffff44000000     | mov    dword ptr [ebp - 0x28c], 0x44
            //   53                   | push                ebx

        $sequence_12 = { c745e870006500 c745ec5c006100 c745f074006300 c745f474006c00 }
            // n = 4, score = 100
            //   c745e870006500       | mov                 dword ptr [ebp - 0x18], 0x650070
            //   c745ec5c006100       | mov                 dword ptr [ebp - 0x14], 0x61005c
            //   c745f074006300       | mov                 dword ptr [ebp - 0x10], 0x630074
            //   c745f474006c00       | mov                 dword ptr [ebp - 0xc], 0x6c0074

        $sequence_13 = { 6a00 68???????? ff15???????? 8b4dfc b801000000 33cd }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   68????????           |                     
            //   ff15????????         |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   b801000000           | mov                 eax, 1
            //   33cd                 | xor                 ecx, ebp

        $sequence_14 = { ff9570fdffff 8987a8000000 8d45ec 50 53 8b9d70fdffff ffd3 }
            // n = 7, score = 100
            //   ff9570fdffff         | call                dword ptr [ebp - 0x290]
            //   8987a8000000         | mov                 dword ptr [edi + 0xa8], eax
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   8b9d70fdffff         | mov                 ebx, dword ptr [ebp - 0x290]
            //   ffd3                 | call                ebx

        $sequence_15 = { 8d8578ffffff 50 53 ff9570fdffff 898784000000 }
            // n = 5, score = 100
            //   8d8578ffffff         | lea                 eax, [ebp - 0x88]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ff9570fdffff         | call                dword ptr [ebp - 0x290]
            //   898784000000         | mov                 dword ptr [edi + 0x84], eax

    condition:
        7 of them and filesize < 311296
}
Download all Yara Rules