SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turla_rpc (Back to overview)

TurlaRPC

Actor(s): Turla


There is no description at this point.

References
2022-09-20cocomelonc
@online{cocomelonc:20220920:malware:c0e9c97, author = {cocomelonc}, title = {{Malware development: persistence - part 11. Powershell profile. Simple C++ example.}}, date = {2022-09-20}, url = {https://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html}, language = {English}, urldate = {2022-10-19} } Malware development: persistence - part 11. Powershell profile. Simple C++ example.
Turla RAT TurlaRPC
2022-06-12cocomelonc
@online{cocomelonc:20220612:malware:e988236, author = {cocomelonc}, title = {{Malware development: persistence - part 7. Winlogon. Simple C++ example.}}, date = {2022-06-12}, url = {https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 7. Winlogon. Simple C++ example.
BazarBackdoor Gazer TurlaRPC Turla SilentMoon
2022-05-02cocomelonccocomelonc
@online{cocomelonc:20220502:malware:4384b01, author = {cocomelonc}, title = {{Malware development: persistence - part 3. COM DLL hijack. Simple C++ example}}, date = {2022-05-02}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 3. COM DLL hijack. Simple C++ example
Agent.BTZ Ave Maria Konni Mosquito TurlaRPC
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team
2021-02-19Palo Alto Networks Unit 42Dominik Reichel
@online{reichel:20210219:ironnetinjector:07c7f33, author = {Dominik Reichel}, title = {{IronNetInjector: Turla’s New Malware Loading Tool}}, date = {2021-02-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ironnetinjector/}, language = {English}, urldate = {2021-02-20} } IronNetInjector: Turla’s New Malware Loading Tool
Agent.BTZ IronNetInjector TurlaRPC
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2019-05-29ESET ResearchMatthieu Faou, Romain Dumont
@online{faou:20190529:dive:3afd32e, author = {Matthieu Faou and Romain Dumont}, title = {{A dive into Turla PowerShell usage}}, date = {2019-05-29}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/}, language = {English}, urldate = {2019-11-14} } A dive into Turla PowerShell usage
PowerShellRunner TurlaRPC
Yara Rules
[TLP:WHITE] win_turla_rpc_auto (20230125 | Detects win.turla_rpc.)
rule win_turla_rpc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.turla_rpc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd3 488d55f0 488bcf 488bd8 }
            // n = 4, score = 200
            //   ffd3                 | dec                 eax
            //   488d55f0             | add                 esp, 0x40
            //   488bcf               | pop                 ebx
            //   488bd8               | ret                 

        $sequence_1 = { c6451a55 488d4d20 803155 48ffc1 }
            // n = 4, score = 200
            //   c6451a55             | mov                 byte ptr [ebp + 0x1a], 0x55
            //   488d4d20             | dec                 eax
            //   803155               | lea                 ecx, [ebp + 0x20]
            //   48ffc1               | xor                 byte ptr [ecx], 0x55

        $sequence_2 = { 660f6f05???????? 66c785ec0000000255 c785a0000000193a3431 c785a4000000193c3727 c785a800000034272c02 }
            // n = 5, score = 200
            //   660f6f05????????     |                     
            //   66c785ec0000000255     | dec    eax
            //   c785a0000000193a3431     | inc    ecx
            //   c785a4000000193c3727     | mov    word ptr [ebp + 0xec], 0x5502
            //   c785a800000034272c02     | mov    dword ptr [ebp + 0xa0], 0x31343a19

        $sequence_3 = { c745b4193c3727 c745b834272c14 c645bc55 c7854001000030163930 c78544010000343b2025 }
            // n = 5, score = 200
            //   c745b4193c3727       | dec                 eax
            //   c745b834272c14       | lea                 eax, [0xda3b]
            //   c645bc55             | call                ebx
            //   c7854001000030163930     | dec    eax
            //   c78544010000343b2025     | lea    edx, [ebp - 0x10]

        $sequence_4 = { c744247026212739 66c7442474303b c644247655 c744246022362636 66c74424643825 c644246655 c745902236263b }
            // n = 7, score = 200
            //   c744247026212739     | dec                 eax
            //   66c7442474303b       | lea                 ecx, [ebp + 0x20]
            //   c644247655           | xor                 byte ptr [ecx], 0x55
            //   c744246022362636     | mov                 dword ptr [esp + 0x70], 0x39272126
            //   66c74424643825       | mov                 word ptr [esp + 0x74], 0x3b30
            //   c644246655           | mov                 byte ptr [esp + 0x76], 0x55
            //   c745902236263b       | mov                 dword ptr [esp + 0x60], 0x36263622

        $sequence_5 = { c7456016273034 c745642130133c c7456839300255 c7851001000016273034 }
            // n = 4, score = 200
            //   c7456016273034       | dec                 eax
            //   c745642130133c       | mov                 ecx, edi
            //   c7456839300255       | dec                 eax
            //   c7851001000016273034     | mov    ebx, eax

        $sequence_6 = { c74554301d343b c7455831393055 c7456016273034 c745642130133c }
            // n = 4, score = 200
            //   c74554301d343b       | mov                 dword ptr [ebp + 0xa4], 0x27373c19
            //   c7455831393055       | mov                 dword ptr [ebp + 0xa8], 0x22c2734
            //   c7456016273034       | mov                 dword ptr [ebp + 0x54], 0x3b341d30
            //   c745642130133c       | mov                 dword ptr [ebp + 0x58], 0x55303931

        $sequence_7 = { c745b06970746f c745b472536163 66c745b86c00 ff15???????? }
            // n = 4, score = 200
            //   c745b06970746f       | mov                 dword ptr [ebp + 0x64], 0x3c133021
            //   c745b472536163       | mov                 dword ptr [ebp + 0x68], 0x55023039
            //   66c745b86c00         | mov                 dword ptr [ebp + 0x110], 0x34302716
            //   ff15????????         |                     

        $sequence_8 = { 4885c0 74e7 4883c440 5b c3 488d053bda0000 }
            // n = 6, score = 200
            //   4885c0               | mov                 word ptr [esp + 0x64], 0x2538
            //   74e7                 | mov                 byte ptr [esp + 0x66], 0x55
            //   4883c440             | mov                 dword ptr [ebp - 0x70], 0x3b263622
            //   5b                   | dec                 eax
            //   c3                   | test                eax, eax
            //   488d053bda0000       | je                  0xffffffec

        $sequence_9 = { 80b40558ffffff55 40 83f80d 72f2 33c0 807405d455 40 }
            // n = 7, score = 100
            //   80b40558ffffff55     | mov                 byte ptr [ebp - 0xea], 0x55
            //   40                   | mov                 dword ptr [ebp - 0xc8], 0x34302716
            //   83f80d               | mov                 dword ptr [ebp - 0xc4], 0x3d013021
            //   72f2                 | mov                 esi, eax
            //   33c0                 | test                esi, esi
            //   807405d455           | je                  0x81
            //   40                   | lea                 eax, [esp + 0x260]

        $sequence_10 = { c1e106 83c10c 8b0485d8860110 03c1 50 }
            // n = 5, score = 100
            //   c1e106               | push                eax
            //   83c10c               | push                esi
            //   8b0485d8860110       | xor                 byte ptr [ebp + eax - 0xa8], 0x55
            //   03c1                 | inc                 eax
            //   50                   | cmp                 eax, 0xd

        $sequence_11 = { 0f8434010000 8b35???????? 8d45d4 50 57 }
            // n = 5, score = 100
            //   0f8434010000         | add                 ecx, 0xc
            //   8b35????????         |                     
            //   8d45d4               | mov                 eax, dword ptr [eax*4 + 0x100186d8]
            //   50                   | add                 eax, ecx
            //   57                   | push                eax

        $sequence_12 = { 8bf0 85f6 747f 8d842460020000 50 56 ff15???????? }
            // n = 7, score = 100
            //   8bf0                 | mov                 dword ptr [ebp - 0xc], 0x142c2734
            //   85f6                 | mov                 byte ptr [ebp - 8], 0x55
            //   747f                 | mov                 dword ptr [ebp - 0xf8], 0x34302716
            //   8d842460020000       | mov                 dword ptr [ebp - 0xf4], 0x27053021
            //   50                   | mov                 dword ptr [ebp - 0xf0], 0x2630363a
            //   56                   | mov                 word ptr [ebp - 0xec], 0x226
            //   ff15????????         |                     

        $sequence_13 = { ff15???????? 6804010000 8d84248c020000 50 56 ff15???????? 83c420 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   6804010000           | jb                  0xfffffff8
            //   8d84248c020000       | xor                 eax, eax
            //   50                   | xor                 byte ptr [ebp + eax - 0x2c], 0x55
            //   56                   | inc                 eax
            //   ff15????????         |                     
            //   83c420               | shl                 ecx, 6

        $sequence_14 = { c78508ffffff16273034 c7850cffffff21300527 c78510ffffff3a363026 66c78514ffffff2602 c68516ffffff55 c78538ffffff16273034 c7853cffffff2130013d }
            // n = 7, score = 100
            //   c78508ffffff16273034     | mov    dword ptr [ebp - 0x4c], 0x63615372
            //   c7850cffffff21300527     | mov    word ptr [ebp - 0x48], 0x6c
            //   c78510ffffff3a363026     | mov    dword ptr [ebp - 0x118], 0x30273131
            //   66c78514ffffff2602     | mov    word ptr [ebp - 0x114], 0x2626
            //   c68516ffffff55       | mov                 byte ptr [ebp - 0x112], 0x55
            //   c78538ffffff16273034     | mov    dword ptr [ebp - 0x14], 0x31343a19
            //   c7853cffffff2130013d     | mov    dword ptr [ebp - 0x10], 0x27373c19

        $sequence_15 = { c785e8feffff31312730 66c785ecfeffff2626 c685eefeffff55 c745ec193a3431 c745f0193c3727 c745f434272c14 c645f855 }
            // n = 7, score = 100
            //   c785e8feffff31312730     | mov    dword ptr [esp + 0x68], 0x39393438
            //   66c785ecfeffff2626     | mov    word ptr [esp + 0x6c], 0x363a
            //   c685eefeffff55       | mov                 byte ptr [esp + 0x6e], 0x55
            //   c745ec193a3431       | mov                 dword ptr [ebp - 0x60], 0x38383038
            //   c745f0193c3727       | mov                 dword ptr [ebp - 0x5c], 0x5530233a
            //   c745f434272c14       | mov                 dword ptr [ebp - 0x58], 0x39343027
            //   c645f855             | mov                 dword ptr [ebp - 0x50], 0x6f747069

    condition:
        7 of them and filesize < 311296
}
Download all Yara Rules