1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Turla Activity 10

System Infected: Trojan.Turla Activity 10

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.Turla communicating and requesting information from its controlling server.

Additional Information

When the Trojan is executed, it creates the following files:
%CurrentFolder%\SPUNINST\vt.bin
%Windir%\resin.bin
%System%\vtmon.bin
%System%\drivers\mrxdmb.sys
%System%\drivers\nmnu.sys
%Windir%\$NtU*\mtmon.sdb
%Windir%\$NtU*\scmp.bin
%Windir%\$NtU*\cmp.bin

The Trojan then creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\Select\"Default" = "01"
HKEY_LOCAL_MACHINE\SYSTEM\Select\"LastKnownGood" = "01"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nmnu\"DisplayName"= "nmnu"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nmnu\"ImagePath" = "%System%\drivers\nmnu.sys"

It may then create a service with the following characteristics:
Service name: mrxdmb
Image Path: %System%\drivers\mrxdmb.sys

Next, the Trojan connects to any of the following command-and-control (C and C) servers:
nightday.comxa.com
sanky.sportsontheweb.net
tiger.netii.net
north-area.bbsindex.com

The Trojan may then perform the following actions:
Open a back door on the compromised computer
Gather and encrypt sensitive information
Send files to the C and C server
Load files on the compromised computer
Add new C and C server addresses to the registry
Update its drivers
Add a proxy
Terminate processes
Write data to a log file

Affected

  • Various Windows platforms
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube