Skip to content

S0647 Turian

Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.1

Item Value
ID S0647
Associated Names
Version 1.0
Created 21 September 2021
Last Modified 18 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Turian has the ability to use HTTP for its C2.1
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Turian can use WinRAR to create a password-protected archive for files of interest.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Turian can establish persistence by adding Registry Run keys.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Turian can create a remote shell and execute commands using cmd.1
enterprise T1059.004 Unix Shell Turian has the ability to use /bin/sh to execute commands.1
enterprise T1059.006 Python Turian has the ability to use Python to spawn a Unix shell.1
enterprise T1001 Data Obfuscation -
enterprise T1001.001 Junk Data Turian can insert pseudo-random characters into its network encryption setup.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Turian can store copied files in a specific directory prior to exfiltration.1
enterprise T1140 Deobfuscate/Decode Files or Information Turian has the ability to use a XOR decryption key to extract C2 server domains and IP addresses.1
enterprise T1083 File and Directory Discovery Turian can search for specific files and list directories.1
enterprise T1105 Ingress Tool Transfer Turian can download additional files and tools from its C2.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Turian can disguise as a legitimate service to blend into normal operations.1
enterprise T1027 Obfuscated Files or Information Turian can use VMProtect for obfuscation.1
enterprise T1120 Peripheral Device Discovery Turian can scan for removable media to collect data.1
enterprise T1113 Screen Capture Turian has the ability to take screenshots.1
enterprise T1082 System Information Discovery Turian can retrieve system information including OS version, memory usage, local hostname, and system adapter information.1
enterprise T1016 System Network Configuration Discovery Turian can retrieve the internal IP address of a compromised host.1
enterprise T1033 System Owner/User Discovery Turian can retrieve usernames.1

Groups That Use This Software

ID Name References
G0135 BackdoorDiplomacy 1