1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Turla Activity 5

System Infected: Trojan.Turla Activity 5

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.


This signature detects Trojan.Turla communicating and requesting information from its controlling server.

Additional Information

When the Trojan is executed, it creates the following files:

The Trojan then creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\Select\"Default" = "01"
HKEY_LOCAL_MACHINE\SYSTEM\Select\"LastKnownGood" = "01"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nmnu\"DisplayName"= "nmnu"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nmnu\"ImagePath" = "%System%\drivers\nmnu.sys"

It may then create a service with the following characteristics:
Service name: mrxdmb
Image Path: %System%\drivers\mrxdmb.sys

Next, the Trojan connects to any of the following command-and-control (C and C) servers:

The Trojan may then perform the following actions:
Open a back door on the compromised computer
Gather and encrypt sensitive information
Send files to the C and C server
Load files on the compromised computer
Add new C and C server addresses to the registry
Update its drivers
Add a proxy
Terminate processes
Write data to a log file


  • Various Windows platforms
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube