1. Home
  2. Software
  3. Turian

Turian

Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.[1]

ID: S0647
Type: MALWARE
Platforms: Windows, Linux
Contributors: Zaw Min Htun, @Z3TAE
Version: 1.0
Created: 21 September 2021
Last Modified: 18 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .004 伪装: Masquerade Task or Service

Turian can disguise as a legitimate service to blend into normal operations.[1]
Enterprise T1140 反混淆/解码文件或信息

Turian has the ability to use a XOR decryption key to extract C2 server domains and IP addresses.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Turian can establish persistence by adding Registry Run keys.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Turian can create a remote shell and execute commands using cmd.[1]
.004 命令与脚本解释器: Unix Shell

Turian has the ability to use /bin/sh to execute commands.[1]
.006 命令与脚本解释器: Python

Turian has the ability to use Python to spawn a Unix shell.[1]
Enterprise T1120 外围设备发现

Turian can scan for removable media to collect data.[1]
Enterprise T1113 屏幕捕获

Turian has the ability to take screenshots.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Turian has the ability to use HTTP for its C2.[1]
Enterprise T1560 .001 归档收集数据: Archive via Utility

Turian can use WinRAR to create a password-protected archive for files of interest.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

Turian can store copied files in a specific directory prior to exfiltration.[1]
Enterprise T1001 .001 数据混淆: Junk Data

Turian can insert pseudo-random characters into its network encryption setup.[1]
Enterprise T1083 文件和目录发现

Turian can search for specific files and list directories.[1]
Enterprise T1027 混淆文件或信息

Turian can use VMProtect for obfuscation.[1]
Enterprise T1082 系统信息发现

Turian can retrieve system information including OS version, memory usage, local hostname, and system adapter information.[1]
Enterprise T1033 系统所有者/用户发现

Turian can retrieve usernames.[1]
Enterprise T1016 系统网络配置发现

Turian can retrieve the internal IP address of a compromised host.[1]
Enterprise T1105 输入工具传输

Turian can download additional files and tools from its C2.[1]

Groups That Use This Software

ID Name References
G0135 BackdoorDiplomacy

[1]

References

  1. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021