Turian

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Turian is a sophisticated malware, known for its backdoor capabilities, that has been used in numerous cyber espionage campaigns. It infects systems through dubious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage. The Turian backdoor has been linked with Advanced Persistent Threat (APT) activities, specifically APT_MAL_LNX_Turian_Jun21_1, a Linux version of the malware. Its network protocol, especially during the initial key exchange, is distinct, setting it apart from other similar threats. The malware's recent upgrades and new Command and Control (C2) infrastructure suggest continued success in these campaigns. In January, Turian was utilized by an actor named Flea to compromise four Iranian government organizations, including Iran’s Ministry of Foreign Affairs. This attack highlighted the use of a new version of the Turian malware, showcasing its evolving nature. Once a connection has been made, Turian performs an SSL handshake with the C2, waiting for a 5-byte response. On startup, it retrieves a pointer to the Security Support Provider Interface (SSPI) Dispatch Table via a call to InitSecurityInterfaceA(), before calling AcquireCredentialsHandleA(). Palo Alto Networks' WildFire cloud-based threat analysis service accurately identifies the Turian malware as malicious, providing essential protection against this threat. Additionally, the release of Cortex 3.5 introduces Behavioral Threat Protection and new in-memory shellcode protection, which prevent the execution of Turian malware. These security measures are crucial in defending against the persistent and evolving threat that Turian represents.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Apt
Espionage
Linux
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TaurusUnspecified
1
Taurus is a malicious software (malware) that has been associated with multiple cyber threat actors, notably Stately Taurus, Iron Taurus, and Starchy Taurus, all of which have connections to Chinese Advanced Persistent Threats (APTs). The malware is designed to infiltrate systems and steal personal
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BackdoorDiplomacyUnspecified
1
BackdoorDiplomacy, also known as Playful Taurus, APT15, Vixen Panda, KeChang, and NICKEL, is a threat actor group associated with Chinese cyber espionage campaigns. This group has been particularly active in Africa, targeting high-priority organizations in telecommunications, finance, and government
FleaUnspecified
1
Flea, also known as APT15 or Nickel, is a China-linked threat actor primarily targeting foreign affairs ministries in Central and South American countries. The group's latest campaign utilizes a novel backdoor named "Graphican," which is an evolution of their custom backdoor Ketrican. This new backd
Playful TaurusUnspecified
1
Playful Taurus is a notable threat actor in the cybersecurity landscape, known for its malicious activities against government and diplomatic entities across North and South America, Africa, and the Middle East. The group continually adapts its tactics and tools, showcasing an evolving strategy that
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Turian Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
China-sponsored APT group targets government ministries in the Americas
Unit42
a year ago
Chinese Playful Taurus Activity in Iran