SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turla_rpc (Back to overview)

TurlaRPC

Actor(s): Turla Group

There is no description at this point.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Ransomware Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Ransomware Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-19Palo Alto Networks Unit 42Dominik Reichel
@online{reichel:20210219:ironnetinjector:07c7f33, author = {Dominik Reichel}, title = {{IronNetInjector: Turla’s New Malware Loading Tool}}, date = {2021-02-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ironnetinjector/}, language = {English}, urldate = {2021-02-20} } IronNetInjector: Turla’s New Malware Loading Tool
Agent.BTZ TurlaRPC
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2019-05-29ESET ResearchMatthieu Faou, Romain Dumont
@online{faou:20190529:dive:3afd32e, author = {Matthieu Faou and Romain Dumont}, title = {{A dive into Turla PowerShell usage}}, date = {2019-05-29}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/}, language = {English}, urldate = {2019-11-14} } A dive into Turla PowerShell usage
PowerShellRunner TurlaRPC
Yara Rules
[TLP:WHITE] win_turla_rpc_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_turla_rpc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c6854801000055 c78560010000013c3830 c785640100003a202155 c785a8010000271c3367 }
            // n = 4, score = 200
            //   c6854801000055       | mov                 dword ptr [ebp + 0x60], 0x34302716
            //   c78560010000013c3830     | mov    byte ptr [ebp + 0x8c], 0x55
            //   c785640100003a202155     | mov    dword ptr [ebp + 0xe0], 0x3213012
            //   c785a8010000271c3367     | mov    dword ptr [ebp + 0xe4], 0x3c262730

        $sequence_1 = { c7455016393a26 c74554301d343b c7455831393055 c7456016273034 }
            // n = 4, score = 200
            //   c7455016393a26       | mov                 dword ptr [ebp - 0x70], 0x3b263622
            //   c74554301d343b       | mov                 dword ptr [ebp - 0x6c], 0x55213436
            //   c7455831393055       | mov                 dword ptr [esp + 0x58], 0x39263622
            //   c7456016273034       | mov                 word ptr [esp + 0x5c], 0x3b30

        $sequence_2 = { ffd3 488d4d70 488bf8 ffd3 488d4d10 488bf0 ffd3 }
            // n = 7, score = 200
            //   ffd3                 | call                ebx
            //   488d4d70             | dec                 eax
            //   488bf8               | lea                 ecx, [ebp + 0x70]
            //   ffd3                 | dec                 eax
            //   488d4d10             | mov                 edi, eax
            //   488bf0               | call                ebx
            //   ffd3                 | dec                 eax

        $sequence_3 = { c7851001000016273034 c7851401000021300527 c785180100003a363026 66c7851c0100002602 }
            // n = 4, score = 200
            //   c7851001000016273034     | mov    dword ptr [ebp + 0x110], 0x34302716
            //   c7851401000021300527     | mov    dword ptr [ebp + 0x114], 0x27053021
            //   c785180100003a363026     | mov    dword ptr [ebp + 0x118], 0x2630363a
            //   66c7851c0100002602     | mov    word ptr [ebp + 0x11c], 0x226

        $sequence_4 = { c7452427217b31 66c745283939 c6452a55 c745703e30273b c7457430396667 }
            // n = 5, score = 200
            //   c7452427217b31       | mov                 dword ptr [ebp + 0x24], 0x317b2127
            //   66c745283939         | mov                 word ptr [ebp + 0x28], 0x3939
            //   c6452a55             | mov                 byte ptr [ebp + 0x2a], 0x55
            //   c745703e30273b       | mov                 dword ptr [ebp + 0x70], 0x3b27303e
            //   c7457430396667       | mov                 dword ptr [ebp + 0x74], 0x67663930

        $sequence_5 = { c745b06970746f c745b472536163 66c745b86c00 ff15???????? }
            // n = 4, score = 200
            //   c745b06970746f       | mov                 dword ptr [ebp - 0x50], 0x6f747069
            //   c745b472536163       | mov                 dword ptr [ebp - 0x4c], 0x63615372
            //   66c745b86c00         | mov                 word ptr [ebp - 0x48], 0x6c
            //   ff15????????         |                     

        $sequence_6 = { f30f7f8550010000 660f6f05???????? c6858c00000055 c785e000000012302103 c785e40000003027263c c785e80000003a3b102d f30f7f85e0010000 }
            // n = 7, score = 200
            //   f30f7f8550010000     | movdqu              xmmword ptr [ebp + 0x150], xmm0
            //   660f6f05????????     |                     
            //   c6858c00000055       | mov                 byte ptr [ebp + 0x8c], 0x55
            //   c785e000000012302103     | mov    dword ptr [ebp + 0xe0], 0x3213012
            //   c785e40000003027263c     | mov    dword ptr [ebp + 0xe4], 0x3c262730
            //   c785e80000003a3b102d     | mov    dword ptr [ebp + 0xe8], 0x2d103b3a
            //   f30f7f85e0010000     | movdqu              xmmword ptr [ebp + 0x1e0], xmm0

        $sequence_7 = { c6450a55 c745980a22333a c7459c25303b55 c744247836343939 66c744247c3a36 c644247e55 c745883336393a }
            // n = 7, score = 200
            //   c6450a55             | mov                 dword ptr [ebp + 0xc0], 0x10213006
            //   c745980a22333a       | mov                 dword ptr [ebp + 0xc4], 0x273a2727
            //   c7459c25303b55       | mov                 dword ptr [ebp + 0xc8], 0x30313a18
            //   c744247836343939     | mov                 byte ptr [ebp + 0xcc], 0x55
            //   66c744247c3a36       | mov                 byte ptr [ebp + 0xa], 0x55
            //   c644247e55           | mov                 dword ptr [ebp - 0x68], 0x3a33220a
            //   c745883336393a       | mov                 dword ptr [ebp - 0x64], 0x553b3025

        $sequence_8 = { c644247655 c744246022362636 66c74424643825 c644246655 c745902236263b c7459436342155 c744245822362639 }
            // n = 7, score = 200
            //   c644247655           | mov                 byte ptr [esp + 0x76], 0x55
            //   c744246022362636     | mov                 dword ptr [esp + 0x60], 0x36263622
            //   66c74424643825       | mov                 word ptr [esp + 0x64], 0x2538
            //   c644246655           | mov                 byte ptr [esp + 0x66], 0x55
            //   c745902236263b       | mov                 dword ptr [ebp - 0x70], 0x3b263622
            //   c7459436342155       | mov                 dword ptr [ebp - 0x6c], 0x55213436
            //   c744245822362639     | mov                 dword ptr [esp + 0x58], 0x39263622

        $sequence_9 = { 8b8d6cfdffff 89410c 8d8580feffff 50 57 ff9570fdffff 8b8d6cfdffff }
            // n = 7, score = 100
            //   8b8d6cfdffff         | mov                 ecx, dword ptr [ebp - 0x294]
            //   89410c               | mov                 dword ptr [ecx + 0xc], eax
            //   8d8580feffff         | lea                 eax, [ebp - 0x180]
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff9570fdffff         | call                dword ptr [ebp - 0x290]
            //   8b8d6cfdffff         | mov                 ecx, dword ptr [ebp - 0x294]

        $sequence_10 = { e8???????? 59 8365fc00 8b049dd8860110 f644380401 7413 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8365fc00             | and                 dword ptr [ebp - 4], 0
            //   8b049dd8860110       | mov                 eax, dword ptr [ebx*4 + 0x100186d8]
            //   f644380401           | test                byte ptr [eax + edi + 4], 1
            //   7413                 | je                  0x15

        $sequence_11 = { c1ef02 3b850cffffff 0f47f9 85ff 7413 ff36 }
            // n = 6, score = 100
            //   c1ef02               | shr                 edi, 2
            //   3b850cffffff         | cmp                 eax, dword ptr [ebp - 0xf4]
            //   0f47f9               | cmova               edi, ecx
            //   85ff                 | test                edi, edi
            //   7413                 | je                  0x15
            //   ff36                 | push                dword ptr [esi]

        $sequence_12 = { c78538ffffff16273034 c7853cffffff2130013d c78540ffffff27303431 c68544ffffff55 c745b011303930 c745b42130133c }
            // n = 6, score = 100
            //   c78538ffffff16273034     | mov    dword ptr [ebp - 0xc8], 0x34302716
            //   c7853cffffff2130013d     | mov    dword ptr [ebp - 0xc4], 0x3d013021
            //   c78540ffffff27303431     | mov    dword ptr [ebp - 0xc0], 0x31343027
            //   c68544ffffff55       | mov                 byte ptr [ebp - 0xbc], 0x55
            //   c745b011303930       | mov                 dword ptr [ebp - 0x50], 0x30393011
            //   c745b42130133c       | mov                 dword ptr [ebp - 0x4c], 0x3c133021

        $sequence_13 = { 83c408 8945c8 85c0 0f8480000000 }
            // n = 4, score = 100
            //   83c408               | add                 esp, 8
            //   8945c8               | mov                 dword ptr [ebp - 0x38], eax
            //   85c0                 | test                eax, eax
            //   0f8480000000         | je                  0x86

        $sequence_14 = { 7311 f30f7e0e 83e908 8d7608 660fd60f 8d7f08 8b048d48350010 }
            // n = 7, score = 100
            //   7311                 | jae                 0x13
            //   f30f7e0e             | movq                xmm1, qword ptr [esi]
            //   83e908               | sub                 ecx, 8
            //   8d7608               | lea                 esi, [esi + 8]
            //   660fd60f             | movq                qword ptr [edi], xmm1
            //   8d7f08               | lea                 edi, [edi + 8]
            //   8b048d48350010       | mov                 eax, dword ptr [ecx*4 + 0x10003548]

        $sequence_15 = { 8b0485d8860110 80643004fd 8b45f8 8b55fc 5f 5e }
            // n = 6, score = 100
            //   8b0485d8860110       | mov                 eax, dword ptr [eax*4 + 0x100186d8]
            //   80643004fd           | and                 byte ptr [eax + esi + 4], 0xfd
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 311296
}
Download all Yara Rules