SYMBOLCOMMON_NAMEaka. SYNONYMS
win.turla_rpc (Back to overview)

TurlaRPC

Actor(s): Turla Group


There is no description at this point.

References
2021-02-28PWC UKPWC UK
@techreport{uk:20210228:cyber:bd780cd, author = {PWC UK}, title = {{Cyber Threats 2020: A Year in Retrospect}}, date = {2021-02-28}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf}, language = {English}, urldate = {2021-03-04} } Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare
2021-02-19Palo Alto Networks Unit 42Dominik Reichel
@online{reichel:20210219:ironnetinjector:07c7f33, author = {Dominik Reichel}, title = {{IronNetInjector: Turla’s New Malware Loading Tool}}, date = {2021-02-19}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ironnetinjector/}, language = {English}, urldate = {2021-02-20} } IronNetInjector: Turla’s New Malware Loading Tool
Agent.BTZ TurlaRPC
2020-10-28AccentureCyber Defense
@online{defense:20201028:turla:6f32714, author = {Cyber Defense}, title = {{Turla uses HyperStack, Carbon, and Kazuar to compromise government entity}}, date = {2020-10-28}, organization = {Accenture}, url = {https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity}, language = {English}, urldate = {2020-10-29} } Turla uses HyperStack, Carbon, and Kazuar to compromise government entity
Cobra Carbon System Kazuar TurlaRPC Turla SilentMoon
2019-05-29ESET ResearchMatthieu Faou, Romain Dumont
@online{faou:20190529:dive:3afd32e, author = {Matthieu Faou and Romain Dumont}, title = {{A dive into Turla PowerShell usage}}, date = {2019-05-29}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/}, language = {English}, urldate = {2019-11-14} } A dive into Turla PowerShell usage
PowerShellRunner TurlaRPC
Yara Rules
[TLP:WHITE] win_turla_rpc_auto (20210616 | Detects win.turla_rpc.)
rule win_turla_rpc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.turla_rpc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c74554301d343b c7455831393055 c7456016273034 c745642130133c c7456839300255 c7851001000016273034 }
            // n = 6, score = 200
            //   c74554301d343b       | mov                 word ptr [esp + 0x44], 0x553e
            //   c7455831393055       | mov                 dword ptr [esp + 0x38], 0x39302133
            //   c7456016273034       | mov                 word ptr [esp + 0x3c], 0x5539
            //   c745642130133c       | mov                 dword ptr [ebp + 0x54], 0x3b341d30
            //   c7456839300255       | mov                 dword ptr [ebp + 0x58], 0x55303931
            //   c7851001000016273034     | mov    dword ptr [ebp + 0x60], 0x34302716

        $sequence_1 = { c744247836343939 66c744247c3a36 c644247e55 c745883336393a 66c7458c2630 }
            // n = 5, score = 200
            //   c744247836343939     | mov                 dword ptr [ebp + 0x64], 0x3c133021
            //   66c744247c3a36       | mov                 dword ptr [ebp + 0x68], 0x55023039
            //   c644247e55           | mov                 dword ptr [ebp + 0x110], 0x34302716
            //   c745883336393a       | mov                 dword ptr [esp + 0x78], 0x39393436
            //   66c7458c2630         | mov                 word ptr [esp + 0x7c], 0x363a

        $sequence_2 = { c7857801000026302410 66c7857c0100002502 c6857e01000055 c7452038262336 }
            // n = 4, score = 200
            //   c7857801000026302410     | call    ebx
            //   66c7857c0100002502     | dec    eax
            //   c6857e01000055       | lea                 ecx, dword ptr [ebp + 0x10]
            //   c7452038262336       | mov                 dword ptr [ebp + 0x178], 0x10243026

        $sequence_3 = { 66c744246c3a36 c644246e55 c745a038303838 c745a43a233055 c745a827303439 c745ac393a3655 }
            // n = 6, score = 200
            //   66c744246c3a36       | mov                 byte ptr [esp + 0x7e], 0x55
            //   c644246e55           | mov                 dword ptr [ebp - 0x78], 0x3a393633
            //   c745a038303838       | mov                 word ptr [ebp - 0x74], 0x3026
            //   c745a43a233055       | mov                 word ptr [esp + 0x6c], 0x363a
            //   c745a827303439       | mov                 byte ptr [esp + 0x6e], 0x55
            //   c745ac393a3655       | mov                 dword ptr [ebp - 0x60], 0x38383038

        $sequence_4 = { c785c400000027273a27 c785c8000000183a3130 c685cc00000055 c785c001000030362155 c745d002273c21 c745d430133c39 }
            // n = 6, score = 200
            //   c785c400000027273a27     | mov    dword ptr [ebp + 0xc0], 0x10213006
            //   c785c8000000183a3130     | mov    dword ptr [ebp + 0xc4], 0x273a2727
            //   c685cc00000055       | mov                 dword ptr [ebp + 0xc8], 0x30313a18
            //   c785c001000030362155     | mov    dword ptr [ebp + 0xc4], 0x273a2727
            //   c745d002273c21       | mov                 dword ptr [ebp + 0xc8], 0x30313a18
            //   c745d430133c39       | mov                 byte ptr [ebp + 0xcc], 0x55

        $sequence_5 = { c745b06970746f c745b472536163 66c745b86c00 ff15???????? }
            // n = 4, score = 200
            //   c745b06970746f       | mov                 dword ptr [ebp - 0x50], 0x6f747069
            //   c745b472536163       | mov                 dword ptr [ebp - 0x4c], 0x63615372
            //   66c745b86c00         | mov                 word ptr [ebp - 0x48], 0x6c
            //   ff15????????         |                     

        $sequence_6 = { 488d4d70 488bf8 ffd3 488d4d10 }
            // n = 4, score = 200
            //   488d4d70             | dec                 eax
            //   488bf8               | lea                 ecx, dword ptr [ebp + 0x70]
            //   ffd3                 | dec                 eax
            //   488d4d10             | mov                 edi, eax

        $sequence_7 = { c644243455 c744244033263030 66c74424443e55 c744243833213039 66c744243c3955 }
            // n = 5, score = 200
            //   c644243455           | mov                 word ptr [ebp + 0x17c], 0x225
            //   c744244033263030     | mov                 byte ptr [ebp + 0x17e], 0x55
            //   66c74424443e55       | mov                 dword ptr [ebp + 0x20], 0x36232638
            //   c744243833213039     | mov                 byte ptr [esp + 0x34], 0x55
            //   66c744243c3955       | mov                 dword ptr [esp + 0x40], 0x30302633

        $sequence_8 = { 66c744244c2555 c785c000000006302110 c785c400000027273a27 c785c8000000183a3130 }
            // n = 4, score = 200
            //   66c744244c2555       | mov                 dword ptr [ebp - 0x5c], 0x5530233a
            //   c785c000000006302110     | mov    dword ptr [ebp - 0x58], 0x39343027
            //   c785c400000027273a27     | mov    dword ptr [ebp - 0x54], 0x55363a39
            //   c785c8000000183a3130     | mov    word ptr [esp + 0x4c], 0x5525

        $sequence_9 = { c745e470006900 c745e870006500 c745ec5c006100 c745f074006300 c745f474006c00 c785c8feffff14010000 ff15???????? }
            // n = 7, score = 100
            //   c745e470006900       | mov                 dword ptr [ebp - 0x1c], 0x690070
            //   c745e870006500       | mov                 dword ptr [ebp - 0x18], 0x650070
            //   c745ec5c006100       | mov                 dword ptr [ebp - 0x14], 0x61005c
            //   c745f074006300       | mov                 dword ptr [ebp - 0x10], 0x630074
            //   c745f474006c00       | mov                 dword ptr [ebp - 0xc], 0x6c0074
            //   c785c8feffff14010000     | mov    dword ptr [ebp - 0x138], 0x114
            //   ff15????????         |                     

        $sequence_10 = { 8b9530e5ffff 8b8528e5ffff 8b8d24e5ffff 8b0485d8860110 f644010440 7409 803a1a }
            // n = 7, score = 100
            //   8b9530e5ffff         | mov                 edx, dword ptr [ebp - 0x1ad0]
            //   8b8528e5ffff         | mov                 eax, dword ptr [ebp - 0x1ad8]
            //   8b8d24e5ffff         | mov                 ecx, dword ptr [ebp - 0x1adc]
            //   8b0485d8860110       | mov                 eax, dword ptr [eax*4 + 0x100186d8]
            //   f644010440           | test                byte ptr [ecx + eax + 4], 0x40
            //   7409                 | je                  0xb
            //   803a1a               | cmp                 byte ptr [edx], 0x1a

        $sequence_11 = { c745d831002d00 c745dc31003600 c745e02d003000 c745e429000000 c745e861006400 }
            // n = 5, score = 100
            //   c745d831002d00       | mov                 dword ptr [ebp - 0x28], 0x2d0031
            //   c745dc31003600       | mov                 dword ptr [ebp - 0x24], 0x360031
            //   c745e02d003000       | mov                 dword ptr [ebp - 0x20], 0x30002d
            //   c745e429000000       | mov                 dword ptr [ebp - 0x1c], 0x29
            //   c745e861006400       | mov                 dword ptr [ebp - 0x18], 0x640061

        $sequence_12 = { 72e6 5e c3 6a03 e8???????? }
            // n = 5, score = 100
            //   72e6                 | jb                  0xffffffe8
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   6a03                 | push                3
            //   e8????????           |                     

        $sequence_13 = { 66c785c4feffff7000 8bff 80b40568ffffff55 40 }
            // n = 4, score = 100
            //   66c785c4feffff7000     | mov    word ptr [ebp - 0x13c], 0x70
            //   8bff                 | mov                 edi, edi
            //   80b40568ffffff55     | xor                 byte ptr [ebp + eax - 0x98], 0x55
            //   40                   | inc                 eax

        $sequence_14 = { 8bf0 85f6 7522 8d45e8 50 ff15???????? }
            // n = 6, score = 100
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   7522                 | jne                 0x24
            //   8d45e8               | lea                 eax, dword ptr [ebp - 0x18]
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_15 = { 33c0 8d4900 80b40518ffffff55 40 }
            // n = 4, score = 100
            //   33c0                 | xor                 eax, eax
            //   8d4900               | lea                 ecx, dword ptr [ecx]
            //   80b40518ffffff55     | xor                 byte ptr [ebp + eax - 0xe8], 0x55
            //   40                   | inc                 eax

    condition:
        7 of them and filesize < 311296
}
Download all Yara Rules