S0647 Turian
Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.1
| Item | Value |
|---|---|
| ID | S0647 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 21 September 2021 |
| Last Modified | 18 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Turian has the ability to use HTTP for its C2.1 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | Turian can use WinRAR to create a password-protected archive for files of interest.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Turian can establish persistence by adding Registry Run keys.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Turian can create a remote shell and execute commands using cmd.1 |
| enterprise | T1059.004 | Unix Shell | Turian has the ability to use /bin/sh to execute commands.1 |
| enterprise | T1059.006 | Python | Turian has the ability to use Python to spawn a Unix shell.1 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.001 | Junk Data | Turian can insert pseudo-random characters into its network encryption setup.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Turian can store copied files in a specific directory prior to exfiltration.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Turian has the ability to use a XOR decryption key to extract C2 server domains and IP addresses.1 |
| enterprise | T1083 | File and Directory Discovery | Turian can search for specific files and list directories.1 |
| enterprise | T1105 | Ingress Tool Transfer | Turian can download additional files and tools from its C2.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | Turian can disguise as a legitimate service to blend into normal operations.1 |
| enterprise | T1027 | Obfuscated Files or Information | Turian can use VMProtect for obfuscation.1 |
| enterprise | T1120 | Peripheral Device Discovery | Turian can scan for removable media to collect data.1 |
| enterprise | T1113 | Screen Capture | Turian has the ability to take screenshots.1 |
| enterprise | T1082 | System Information Discovery | Turian can retrieve system information including OS version, memory usage, local hostname, and system adapter information.1 |
| enterprise | T1016 | System Network Configuration Discovery | Turian can retrieve the internal IP address of a compromised host.1 |
| enterprise | T1033 | System Owner/User Discovery | Turian can retrieve usernames.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0135 | BackdoorDiplomacy | 1 |