The Turla Trojan attacks are currently infecting users worldwide in an offensive campaign. The captured samples showcase that the threat can cause widespread damage on the compromised hosts. Our article provides an overview of the virus operations and it also may be helpful in attempting to remove the virus.
Threat Summary
| Name | Turla Trojan |
| Type | Trojan |
| Short Description | The Turla Trojan is a utility malware that is designed to silently infiltrate computer systems, active infections will spy on the victim users. |
| Symptoms | The victims may not experience any apparent symptoms of infection. |
| Distribution Method | Freeware Installations, Bundled Packages, Scripts and others. |
| Detection Tool |
See If Your System Has Been Affected by malware
Download
Malware Removal Tool
|
| User Experience | Join Our Forum to Discuss Turla Trojan. |
Turla Trojan – Distribution Methods
The Turla Trojan is the collective name of which a group of backdoors and malware led by the hacking group bearing the same name is known. Over the years several active campaigns bearing modified versions of it.
The recent attacks carrying the threat use a classic infiltration technique which depends on the interaction with a Adobe Flash installer. This means that the hackers can leverage several different distribution techniques:
- Fake Download Sites — The hackers can construct fake copies of legitimate vendor sites and download portals. They might use stolen web design elements and layout, as well as domain names. This can fool a large part of ordinary web users that can get redirected via search engine results or scripts such as pop-ups, banners, ads and in-line links.
- Scam Email Messages — Another popular technique is the coordination of mass email SPAM messages. They are created using graphics and text taken from well known sites or Internet services. This can confuse the users into thinking that they have received a software update message from Adobe for instance. The dangerous file can be directly attached or linked in the body contents.
- Installer Bundles — In some specific cases the virus can be made part of the legitimate Adobe Flash player installer.
- Document Scripts — The hackers behind the Turla Trojan can embed the installation code into macros. This means that infections can happen through interaction with all kinds of files: rich text documents, spreadsheets, presentations and databases. Once they are opened a notification prompt will pop-up asking the users to enable the built-in content. If this is done the infection will follow.
In certain cases the hackers can also deliver the threats via browser hijackers — malicious web browser extensions. They are usually spread on the relevant repositories using an elaborate description promising new feature enhancements. The use of fake developer credentials and use reviews can further coerce the victims into installing it. If this is done then their browser settings will be changed to redirect to a certain hacker-controlled page. The next actions will be to install the relevant Trojan code.
Some of the infections have been caused via vulnerability testing. The hackers use popular security audit tools to find weaknesses in computer hosts and networks. If an unpatched service software is found and they have the right exploit code the Turla Trojan code can be automatically deployed.
Turla Trojan – Detailed Description
Once the Turla Trojan has penetrated the computer’s security it will automatically launch a series of built-in commands. This Trojan uses a different approach in comparison to other threats. Instead of a traditional secure connection to a hacker-controlled server it depends on the delivery of files and email correspondence to automate the infection reports.
This means that the main malware engine can connect to an email inbox hat has been specially created for this purpose. Network administrators will not be able to trace down this specific stream as it appears just like any normal user behavior. The engine will report the data in a file, usually in the form of a PDF file, which is sent as an attachment and sent to the hacker operators. Upon receiving the message the remote administration client will read the data and then send specific instructions using the same mechanism back to the infected hosts.
The security analysis shows that the Turla Trojan have the ability to interact with email clients (Outlook and The Bat!). The malicious engine sets itself as a persistent dependency which allows it to start every time the applications are accessed.
The full analysis has revealed the commands that can be launched by the hackers. The full list of actions includes the following:
- Display a MessageBox — Allows the hackers to display a notification box on the victim’s desktop. This is widely used when orchestrating social engineering attacks.
- Sleep — Triggers a “sleep” power event.
- Delete File — Allows the hackers to choose a file on the users computer that will be deleted.
- Get File — Retrieves a chosen file from the infected machine.
- Set operator email address A(overriding the initial one hardcoded in the DLL) — Changes the controlling email address to another one.
- Put File — Deploys a hacker-specified file to the machines.
- Run Shell Command — Allows the hackers to execute commands of their choice — either in PowerShell or the command prompt.
- Create Process — The malicius engine will create a second process in a separate thread.
- Delete Directory — Deletes a chosen directory.
- Create Directory — Creates a directory under a provided name in a specified directory.
- Change timeout — Modifies the interval between the email correspondence monitoring.
- Run Powershell Command — Enables the hackers to execute PowerShell commands and scripts.
- Set Answer Mode — Modifies the return instructions mode.
Most of the Turla Trojan attacks can be configured using either built-in scripts or programmed by the hackers to carry out complex infiltrations. This includes a persistent installation. This means that it can modify the boot options and automatically start once the computer is booted up. This procedure can also disable access to the recovery menu which will render most manual recovery instructions worthless.
Use of the Turla Trojan can lead to sensitive information harvesting. This means that it can retrieve strings that can expose the victim’s identity — their name, address, phone number, interests, location and any stored account credentials. The other type of information that can be hijacked is metrics about the operating system and the installed hardware components that can be used to optimize the upcoming attacks.
The malicious algorithm can also be configured to delete any System recovery information such as backups and Shadow Volume Copies. This means that effective restore of the infected computers is only possible with a professional-grade recovery software, refer to our instructions for more information on the matter.
It is possible that the Turla Trojan can be modified to execute banking Trojan like behavior. Thanks to the remote control and spying capabilities the hackers can monitor when the victim users enter into certain services like email inboxes and online banks. When they access the relevant login pages the criminals can directly extract the mouse movement and keystrokes. The credentials will be automatically transferred to the hackers.
Remove Turla Trojan
If your computer system got infected with the Turla Trojan, you should have a bit of experience in removing malware. You should get rid of this Trojan as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the Trojan and follow the step-by-step instructions guide provided below.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me:
Preparation before removing Turla Trojan.
Before starting the actual removal process, we recommend that you do the following preparation steps.
- Make sure you have these instructions always open and in front of your eyes.
- Do a backup of all of your files, even if they could be damaged. You should back up your data with a cloud backup solution and insure your files against any type of loss, even from the most severe threats.
- Be patient as this could take a while.
- Scan for Malware
- Fix Registries
- Remove Virus Files
Step 1: Scan for Turla Trojan with SpyHunter Anti-Malware Tool
Step 2: Clean any registries, created by Turla Trojan on your computer.
The usually targeted registries of Windows machines are the following:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
You can access them by opening the Windows registry editor and deleting any values, created by Turla Trojan there. This can happen by following the steps underneath:
Tip: To find a virus-created value, you can right-click on it and click "Modify" to see which file it is set to run. If this is the virus file location, remove the value.Step 3: Find virus files created by Turla Trojan on your PC.
1.For Windows 8, 8.1 and 10.
For Newer Windows Operating Systems
1: On your keyboard press + R and write explorer.exe in the Run text box and then click on the Ok button.
2: Click on your PC from the quick access bar. This is usually an icon with a monitor and its name is either “My Computer”, “My PC” or “This PC” or whatever you have named it.
3: Navigate to the search box in the top-right of your PC's screen and type “fileextension:” and after which type the file extension. If you are looking for malicious executables, an example may be "fileextension:exe". After doing that, leave a space and type the file name you believe the malware has created. Here is how it may appear if your file has been found:
N.B. We recommend to wait for the green loading bar in the navigation box to fill up in case the PC is looking for the file and hasn't found it yet.
2.For Windows XP, Vista, and 7.
For Older Windows Operating Systems
In older Windows OS's the conventional approach should be the effective one:
1: Click on the Start Menu icon (usually on your bottom-left) and then choose the Search preference.
2: After the search window appears, choose More Advanced Options from the search assistant box. Another way is by clicking on All Files and Folders.
3: After that type the name of the file you are looking for and click on the Search button. This might take some time after which results will appear. If you have found the malicious file, you may copy or open its location by right-clicking on it.
Now you should be able to discover any file on Windows as long as it is on your hard drive and is not concealed via special software.
Turla Trojan FAQ
What Does Turla Trojan Trojan Do?
The Turla Trojan Trojan is a malicious computer program designed to disrupt, damage, or gain unauthorized access to a computer system.
It can be used to steal sensitive data, gain control over a system, or launch other malicious activities.
Can Trojans Steal Passwords?
Yes, Trojans, like Turla Trojan, can steal passwords. These malicious programs are designed to gain access to a user's computer, spy on victims and steal sensitive information such as banking details and passwords.
Can Turla Trojan Trojan Hide Itself?
Yes, it can. A Trojan can use various techniques to mask itself, including rootkits, encryption, and obfuscation, to hide from security scanners and evade detection.
Can a Trojan be Removed by Factory Reset?
Yes, a Trojan can be removed by factory resetting your device. This is because it will restore the device to its original state, eliminating any malicious software that may have been installed. Bear in mind, that there are more sophisticated Trojans, that leave backdoors and reinfect even after factory reset.
Can Turla Trojan Trojan Infect WiFi?
Yes, it is possible for a Trojan to infect WiFi networks. When a user connects to the infected network, the Trojan can spread to other connected devices and can access sensitive information on the network.
Can Trojans Be Deleted?
Yes, Trojans can be deleted. This is typically done by running a powerful anti-virus or anti-malware program that is designed to detect and remove malicious files. In some cases, manual deletion of the Trojan may also be necessary.
Can Trojans Steal Files?
Yes, Trojans can steal files if they are installed on a computer. This is done by allowing the malware author or user to gain access to the computer and then steal the files stored on it.
Which Anti-Malware Can Remove Trojans?
Anti-malware programs such as SpyHunter are capable of scanning for and removing Trojans from your computer. It is important to keep your anti-malware up to date and regularly scan your system for any malicious software.
Can Trojans Infect USB?
Yes, Trojans can infect USB devices. USB Trojans typically spread through malicious files downloaded from the internet or shared via email, allowing the hacker to gain access to a user's confidential data.
About the Turla Trojan Research
The content we publish on SensorsTechForum.com, this Turla Trojan how-to removal guide included, is the outcome of extensive research, hard work and our team’s devotion to help you remove the specific trojan problem.
How did we conduct the research on Turla Trojan?
Please note that our research is based on an independent investigation. We are in contact with independent security researchers, thanks to which we receive daily updates on the latest malware definitions, including the various types of trojans (backdoor, downloader, infostealer, ransom, etc.)
Furthermore, the research behind the Turla Trojan threat is backed with VirusTotal.
To better understand the threat posed by trojans, please refer to the following articles which provide knowledgeable details.