Turian

Turian is a malicious software (malware) that has been used in several cyber-espionage campaigns, notably against Iranian government organizations. The malware, which infiltrates systems through suspicious downloads, emails, or websites, was detected in target machines as early as 2022. In these instances, it was found to be the Quarian Backdoor version 3, also known as Turian. By October 10, 2023, the same attackers had leveraged this access to deploy the QSC framework. A Linux version of the Turian backdoor, tagged as APT_MAL_LNX_Turian_Jun21_1, has been identified in VirusTotal samples. In January, the Turian malware was used by a group known as Flea to compromise the networks of four Iranian government organizations, including Iran's Ministry of Foreign Affairs. The network protocol used by the Turian and Quarian backdoors is distinctive, particularly during the initial key exchange. Once a connection is established, Turian performs an SSL handshake with the command-and-control (C2) server and awaits a 5-byte response, typically the SSL/TLS record header. The Turian malware can be accurately identified by the WildFire cloud-based threat analysis service. Furthermore, recent updates to Cortex 3.5 have enhanced protection against Turian, preventing its execution using Behavioral Threat Protection and new in-memory shellcode protection. Despite these security measures, upgrades to the Turian backdoor and its C2 infrastructure suggest that the actors behind it continue to achieve success in their cyber espionage campaigns.