Turian is a backdoor that has been used by BackdoorDiplomacy numerous organizations across Africa, Europe, the Middle East, and Asia. Turian affects the Windows and Linux operating systems, and has the ability to use a XOR decryption key to extract C2 server domains and IP addresses, use WinRAR to create a password-protected archive for files of interest, disguise as a legitimate service to blend into normal operations. Additionally, Turian can insert pseudo-random characters into its network encryption setup, scan for removable media to collect data, and download additional files and tools from its C2. establish persistence by adding Registry Run keys, use Python to spawn a Unix shell, storing copied files in a specific directory prior to exfiltration, retrieve usernames, and execute commands using cmd.
Turian Malware Capabilities
- The Turian malware may use obfuscated files or information to hide its tracks from analysis. It may also use utilities to compress and/or encrypt collected data prior to exfiltration. Additionally, the Turian malware may attempt to manipulate the name of a task or service to make it appear legitimate or benign.
- Turian may attempt to evade detection by adding random data to protocols used for command and control, or by gathering information about attached peripheral devices. They may also transfer tools or other files from an external system into a compromised environment.
- Turian may abuse Unix shell commands and scripts for execution in order to gain persistence and access sensitive information. Screen captures and adding programs to startup folders are two ways in which Turian may achieve this.
- The Turian adversary may attempt to collect detailed information about the target system's operating system and hardware to help follow-up campaigns, such as deciding whether or not to fully infect the target and/or attempt specific actions.Turian may also abuse Python commands and scripts for execution.
- Turian may attempt to gather information about a system's network configuration and settings, such as IP and/or MAC addresses, through information discovery of remote systems. They may also enumerate files and directories.
Ways to Mitigate Turian Malware Attacks Capabilities
- Turian malware attacks can be mitigated by detecting the action of deobfuscating or decoding files or information.
- Turian malware attacks can be mitigated by analyzing network data for unusual data flows, as well as by monitoring for file creation and files transferred into the network. Additionally, system and network discovery techniques can help to identify suspicious activity.
- Turian malware attacks can be mitigated by monitoring for screen capture behaviour and suspicious program execution.
- The TheTurian malware attack can be mitigated by monitoring systems for abnormal Python usage, understanding standard usage patterns, and restricting scripting for normal users.
- Turian malware attacks can be mitigated by analyzing network data for uncommon data flows, looking for application layer protocols that do not follow expected standards, and restricting the use of scripts on systems where they are not commonly used.
- Turian malware attacks can be mitigated in several ways, including by system and network discovery techniques, and by detecting file obfuscation.