Turian

Turian, also known as Quarian backdoor version 3, is a potent malware that has been used by attackers to exploit target machines. First compiled on April 28, 2022, Turian was found to have infected target systems since 2022, allowing the same attackers to deploy the QSC framework and GoClient backdoor from October 10, 2023. This malware is associated with a specific domain and can be identified through its unique SHA-256 sample. A key feature of Turian and Quarian backdoors is their distinct network protocol, particularly during the initial key exchange. In January, Turian was utilized in a significant cyberattack against four Iranian government organizations, including Iran's Ministry of Foreign Affairs. The attackers, known as Flea, leveraged a new version of the Turian malware to compromise these networks. This incident highlights the evolving nature of the Turian malware and its potential for causing extensive damage when deployed against sensitive targets. Protection against Turian involves the use of Behavioral Threat Protection and the newly released in-memory shellcode protection included in Cortex 3.5. These measures are designed to prevent the execution of Turian malware, thereby mitigating the risk of data theft, operational disruption, and other potential harms caused by such malicious software. Further information about Turian can be accessed via the link: https://unit42.paloaltonetworks.com/playful-taurus/#post-126622-_9g8tqsio8dql.