SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turla_rpc (Back to overview)

TurlaRPC

Actor(s): Turla Group


There is no description at this point.

References
2022-09-20cocomelonc
@online{cocomelonc:20220920:malware:c0e9c97, author = {cocomelonc}, title = {{Malware development: persistence - part 11. Powershell profile. Simple C++ example.}}, date = {2022-09-20}, url = {https://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html}, language = {English}, urldate = {2022-10-19} } Malware development: persistence - part 11. Powershell profile. Simple C++ example.
Turla RAT TurlaRPC
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2021-02-19Palo Alto Networks Unit 42Dominik Reichel
@online{reichel:20210219:ironnetinjector:07c7f33, author = {Dominik Reichel}, title = {{IronNetInjector: Turla’s New Malware Loading Tool}}, date = {2021-02-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ironnetinjector/}, language = {English}, urldate = {2021-02-20} } IronNetInjector: Turla’s New Malware Loading Tool
Agent.BTZ TurlaRPC
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2019-05-29ESET ResearchMatthieu Faou, Romain Dumont
@online{faou:20190529:dive:3afd32e, author = {Matthieu Faou and Romain Dumont}, title = {{A dive into Turla PowerShell usage}}, date = {2019-05-29}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/}, language = {English}, urldate = {2019-11-14} } A dive into Turla PowerShell usage
PowerShellRunner TurlaRPC
Yara Rules
[TLP:WHITE] win_turla_rpc_auto (20221125 | Detects win.turla_rpc.)
rule win_turla_rpc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.turla_rpc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 660f6f05???????? c7858000000012302101 c7858400000030382505 c7858800000034213d02 f30f7f8530010000 }
            // n = 5, score = 200
            //   660f6f05????????     |                     
            //   c7858000000012302101     | mov    dword ptr [ebp + 0x80], 0x1213012
            //   c7858400000030382505     | mov    dword ptr [ebp + 0x84], 0x5253830
            //   c7858800000034213d02     | mov    dword ptr [ebp + 0x88], 0x23d2134
            //   f30f7f8530010000     | movdqu              xmmword ptr [ebp + 0x130], xmm0

        $sequence_1 = { c744243033273030 c644243455 c744244033263030 66c74424443e55 c744243833213039 66c744243c3955 }
            // n = 6, score = 200
            //   c744243033273030     | mov                 dword ptr [esp + 0x30], 0x30302733
            //   c644243455           | mov                 byte ptr [esp + 0x34], 0x55
            //   c744244033263030     | mov                 dword ptr [esp + 0x40], 0x30302633
            //   66c74424443e55       | mov                 word ptr [esp + 0x44], 0x553e
            //   c744243833213039     | mov                 dword ptr [esp + 0x38], 0x39302133
            //   66c744243c3955       | mov                 word ptr [esp + 0x3c], 0x5539

        $sequence_2 = { 66c745082133 c6450a55 c745980a22333a c7459c25303b55 c744247836343939 }
            // n = 5, score = 200
            //   66c745082133         | mov                 word ptr [ebp + 8], 0x3321
            //   c6450a55             | mov                 byte ptr [ebp + 0xa], 0x55
            //   c745980a22333a       | mov                 dword ptr [ebp - 0x68], 0x3a33220a
            //   c7459c25303b55       | mov                 dword ptr [ebp - 0x64], 0x553b3025
            //   c744247836343939     | mov                 dword ptr [esp + 0x78], 0x39393436

        $sequence_3 = { c6852e01000055 c745b0193a3431 c745b4193c3727 c745b834272c14 c645bc55 c7854001000030163930 c78544010000343b2025 }
            // n = 7, score = 200
            //   c6852e01000055       | mov                 dword ptr [esp + 0x30], 0x30302733
            //   c745b0193a3431       | mov                 byte ptr [esp + 0x34], 0x55
            //   c745b4193c3727       | mov                 byte ptr [ebp + 0x12e], 0x55
            //   c745b834272c14       | mov                 dword ptr [ebp - 0x50], 0x31343a19
            //   c645bc55             | mov                 dword ptr [ebp - 0x4c], 0x27373c19
            //   c7854001000030163930     | mov    dword ptr [ebp - 0x48], 0x142c2734
            //   c78544010000343b2025     | mov    byte ptr [ebp - 0x44], 0x55

        $sequence_4 = { c744243833213039 66c744243c3955 c745803322273c 66c745842130 }
            // n = 4, score = 200
            //   c744243833213039     | dec                 eax
            //   66c744243c3955       | lea                 eax, [0xda3b]
            //   c745803322273c       | mov                 dword ptr [esp + 0x38], 0x39302133
            //   66c745842130         | mov                 word ptr [esp + 0x3c], 0x5539

        $sequence_5 = { c745b06970746f c745b472536163 66c745b86c00 ff15???????? }
            // n = 4, score = 200
            //   c745b06970746f       | mov                 eax, 1
            //   c745b472536163       | dec                 eax
            //   66c745b86c00         | mov                 dword ptr [esp + 0x58], eax
            //   ff15????????         |                     

        $sequence_6 = { 74e7 4883c440 5b c3 488d053bda0000 }
            // n = 5, score = 200
            //   74e7                 | je                  0xffffffe9
            //   4883c440             | dec                 eax
            //   5b                   | add                 esp, 0x40
            //   c3                   | pop                 ebx
            //   488d053bda0000       | ret                 

        $sequence_7 = { c745883336393a 66c7458c2630 c6458e55 c744245033273034 66c74424543155 c744243033273030 c644243455 }
            // n = 7, score = 200
            //   c745883336393a       | mov                 dword ptr [ebp - 0x80], 0x3c272233
            //   66c7458c2630         | mov                 word ptr [ebp - 0x7c], 0x3021
            //   c6458e55             | mov                 dword ptr [ebp - 0x78], 0x3a393633
            //   c744245033273034     | mov                 word ptr [ebp - 0x74], 0x3026
            //   66c74424543155       | mov                 byte ptr [ebp - 0x72], 0x55
            //   c744243033273030     | mov                 dword ptr [esp + 0x50], 0x34302733
            //   c644243455           | mov                 word ptr [esp + 0x54], 0x5531

        $sequence_8 = { 66c745283939 c6452a55 c745703e30273b c7457430396667 }
            // n = 4, score = 200
            //   66c745283939         | mov                 word ptr [ebp + 0x28], 0x3939
            //   c6452a55             | mov                 byte ptr [ebp + 0x2a], 0x55
            //   c745703e30273b       | mov                 dword ptr [ebp + 0x70], 0x3b27303e
            //   c7457430396667       | mov                 dword ptr [ebp + 0x74], 0x67663930

        $sequence_9 = { e8???????? 8be5 5d c3 6a00 8d854cffffff 50 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8be5                 | mov                 word ptr [ebp - 0x48], 0x6c
            //   5d                   | mov                 ecx, dword ptr [ebp - 0x1adc]
            //   c3                   | push                eax
            //   6a00                 | mov                 eax, dword ptr [ebp - 0x1ad8]
            //   8d854cffffff         | mov                 eax, dword ptr [eax*4 + 0x100186d8]
            //   50                   | mov                 esp, ebp

        $sequence_10 = { 6a20 56 ff15???????? 56 ff15???????? 40 6a01 }
            // n = 7, score = 100
            //   6a20                 | mov                 dword ptr [ebp - 0x3c], 1
            //   56                   | mov                 dword ptr [ebp - 0xc0], eax
            //   ff15????????         |                     
            //   56                   | test                eax, eax
            //   ff15????????         |                     
            //   40                   | je                  0x11
            //   6a01                 | lea                 eax, [ebp - 0x60]

        $sequence_11 = { ff15???????? 8bf8 e9???????? 8b8528e5ffff 8b0c85d8860110 8b8524e5ffff f644080480 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8bf8                 | push                0x20
            //   e9????????           |                     
            //   8b8528e5ffff         | push                esi
            //   8b0c85d8860110       | push                esi
            //   8b8524e5ffff         | inc                 eax
            //   f644080480           | push                1

        $sequence_12 = { 8d45dc c745fc00000000 50 52 c745c401000000 ff15???????? }
            // n = 6, score = 100
            //   8d45dc               | ret                 
            //   c745fc00000000       | push                edi
            //   50                   | push                0
            //   52                   | push                0x80000000
            //   c745c401000000       | push                2
            //   ff15????????         |                     

        $sequence_13 = { 898540ffffff 85c0 740d 8d45a0 }
            // n = 4, score = 100
            //   898540ffffff         | lea                 eax, [ebp - 0x24]
            //   85c0                 | mov                 dword ptr [ebp - 4], 0
            //   740d                 | push                eax
            //   8d45a0               | push                edx

        $sequence_14 = { 8b8d24e5ffff 50 8b8528e5ffff 8b0485d8860110 }
            // n = 4, score = 100
            //   8b8d24e5ffff         | dec                 eax
            //   50                   | lea                 eax, [0xda0a]
            //   8b8528e5ffff         | mov                 dword ptr [ebp - 0x50], 0x6f747069
            //   8b0485d8860110       | mov                 dword ptr [ebp - 0x4c], 0x63615372

        $sequence_15 = { c3 57 6a00 6800000080 6a02 }
            // n = 5, score = 100
            //   c3                   | pop                 ebp
            //   57                   | ret                 
            //   6a00                 | push                0
            //   6800000080           | lea                 eax, [ebp - 0xb4]
            //   6a02                 | push                eax

    condition:
        7 of them and filesize < 311296
}
Download all Yara Rules