Reconnecting to live updates…

Turla Outlook White Paper

Severity: highType: unknown

AI Analysis

Technical Summary

The Turla Outlook White Paper describes a sophisticated cyber espionage campaign attributed to the Turla group, a well-known APT actor. The core technique involves Component Object Model (COM) hijacking (MITRE ATT&CK T1122), a method that manipulates Windows COM interfaces to execute malicious code within trusted processes, in this case, Microsoft Outlook. This hijacking allows the attacker to maintain persistence and evade detection by blending into legitimate Outlook operations. The primary objective is email collection (MITRE ATT&CK T1114), enabling the attacker to harvest sensitive communications from targeted organizations. The campaign targets government and academic sectors, particularly in Western Europe, indicating a focus on high-value intelligence gathering. The white paper does not specify affected Outlook versions or provide patch information, suggesting the technique exploits design weaknesses or misconfigurations rather than a traditional software vulnerability. No known exploits in the wild have been documented, and indicators of compromise are sparse with medium confidence, complicating detection efforts. The threat is classified as high severity due to the potential for significant confidentiality breaches and the difficulty in detecting and mitigating COM hijacking attacks. The attack leverages Windows internals and Outlook's extensibility, requiring defenders to understand and monitor COM interface manipulations and unusual Outlook behaviors. The threat actor's targeting of Western European government and research institutions aligns with historical espionage patterns and geopolitical interests. Overall, this threat represents a stealthy, persistent, and targeted espionage technique that demands specialized defensive measures.

Potential Impact

For European organizations, especially government agencies and academic research institutions, this threat poses a significant risk to the confidentiality of sensitive communications. Successful COM hijacking within Outlook can lead to extensive email exfiltration, potentially exposing classified information, intellectual property, or diplomatic communications. The stealthy nature of the attack complicates detection and response, increasing the likelihood of prolonged unauthorized access. This can undermine trust in communication systems, disrupt diplomatic or research collaborations, and cause reputational damage. Additionally, the persistence mechanism may allow attackers to maintain long-term access, facilitating further lateral movement or data collection. The lack of patches or known exploits means organizations must rely on behavioral detection and hardening rather than straightforward vulnerability remediation. The targeting of Western European sectors suggests a strategic espionage motive, which could impact national security and competitive research advantages. Overall, the threat could lead to significant operational and strategic consequences if not properly mitigated.

Mitigation Recommendations

1. Implement advanced monitoring for COM interface manipulations and suspicious DLL loading within Outlook processes to detect potential COM hijacking attempts. 2. Harden Windows and Outlook environments by restricting permissions on COM registry keys and disabling unnecessary COM components to reduce attack surface. 3. Employ application whitelisting and code integrity policies to prevent unauthorized code execution within Outlook. 4. Conduct regular audits of Outlook add-ins and COM object registrations to identify unauthorized modifications. 5. Enhance network monitoring for unusual outbound email traffic or data exfiltration patterns indicative of email collection activities. 6. Deploy endpoint detection and response (EDR) solutions capable of identifying persistence mechanisms and anomalous process behaviors related to COM hijacking. 7. Train security teams on the specifics of COM hijacking techniques and the Turla group's tactics to improve incident response readiness. 8. Collaborate with national cybersecurity centers and share threat intelligence to improve detection capabilities and response coordination. 9. Limit administrative privileges and enforce the principle of least privilege to reduce the risk of successful hijacking. 10. Regularly update and patch all software components, even if no direct patch exists for this technique, to minimize exploitable weaknesses.

Affected Countries

Germany, France, United Kingdom, Netherlands, Belgium, Switzerland

Indicators of Compromise

file: %appdata%\Microsoft\Windows\scawrdot.db
file: %appdata%\Microsoft\Windows\flobcsnd.dat
file: mapid.tlb
file: msmime.dll
regkey: HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}
regkey: HKCU\Software\Classes\CLSID\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}
regkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\ZonePolicy\
url: https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf
link: https://github.com/eset/malware-ioc/tree/master/turla
file: Eset-Turla-Outlook-Backdoor.pdf
yara: rule turla_outlook_log { meta: author = "ESET Research" date = "22-08-2018" description = "First bytes of the encrypted Turla Outlook logs" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: //Log begin: [...] TVer $s1 = {01 87 C9 75 C8 69 98 AC E0 C9 7B [21] EB BB 60 BB 5A} condition: $s1 at 0 }
yara: rule outlook_misty1 { meta: author = "ESET Research" date = "22-08-2018" description = "Detects the Turla MISTY1 implementation" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: //and edi, 1FFh $o1 = {81 E7 FF 01 00 00} //shl ecx, 9 $s1 = {C1 E1 09} //xor ax, si $s2 = {66 33 C6} //shr eax, 7 $s3 = {C1 E8 07} $o2 = {8B 11 8D 04 1F 50 03 D3 8D 4D C4} condition: $o2 and for all i in (1..#o1): (for all of ($s*) : ($ in (@o1[i] -500 ..@o1[i] + 500))) }
yara: rule turla_outlook_gen { meta: author = "ESET Research" date = "22-08-2018" description = "Turla Outlook malware" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: $s1 = "Outlook" ascii wide $s2 = "Outlook Express" ascii wide $s3 = "Outlook watchdog" ascii wide $s4 = "Software\\RIT\\The Bat!" ascii wide $s5 = "Mail Event Window" ascii wide $s6 = "Software\\Mozilla\\Mozilla Thunderbird\\Profiles" ascii wide $s7 = "%%PDF-1.4\n%%%c%c\n" ascii wide $s8 = "%Y-%m-%dT%H:%M:%S+0000" ascii wide $s9 = "rctrl_renwnd32" ascii wide $s10 = "NetUIHWND" ascii wide $s11 = "homePostalAddress" ascii wide $s12 = "/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=" ascii wide $s13 = "Re:|FWD:|AW:|FYI:|NT|QUE:" ascii wide $s14 = "IPM.Note" ascii wide $s15 = "MAPILogonEx" ascii wide $s16 = "pipe\\The Bat! %d CmdLine" ascii wide $s17 = "PowerShellRunner.dll" ascii wide $s18 = "cmd container" ascii wide $s19 = "mapid.tlb" ascii wide nocase $s20 = "Content-Type: F)*+" ascii wide fullword condition: 5 of them }
yara: import "pe"rule turla_outlook_exports { meta: author = "ESET Research" date = "22-08-2018" description = "Export names of Turla Outlook Malware" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" condition: (pe.exports("install") or pe.exports("Install")) and pe.exports("TBP_Initialize") and pe.exports("TBP_Finalize") and pe.exports("TBP_GetName") and pe.exports("DllRegisterServer") and pe.exports("DllGetClassObject") }
yara: rule turla_outlook_filenames { meta: author = "ESET Research" date = "22-08-2018" description = "Turla Outlook filenames" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: $s1 = "mapid.tlb" $s2 = "msmime.dll" $s3 = "scawrdot.db" condition: any of them }
yara: rule turla_outlook_pdf { meta: author = "ESET Research" date = "22-08-2018" description = "Detect PDF documents generated by Turla Outlook malware" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: $s1 = "Adobe PDF Library 9.0" ascii wide nocase $s2 = "Acrobat PDFMaker 9.0" ascii wide nocase $s3 = {FF D8 FF E0 00 10 4A 46 49 46} $s4 = {00 3F 00 FD FC A2 8A 28 03 FF D9} $s5 = "W5M0MpCehiHzreSzNTczkc9d" ascii wide nocase $s6 = "PDF-1.4" ascii wide nocase condition: 5 of them }
text: Turla
link: https://wws.cert-ist.com/private/fr/IocAttack_details?format=html&objectType=ATK&ref=CERT-IST/ATK-2017-023
comment: Snake
comment: Uroburos
comment: Venomous Bear
comment: KRYPTON
comment: Waterbug
comment: WhiteBear
comment: these IOCs originate in a report by ESET regarding the OUtlook backdoor used in an attack against European government institutions in 2016 and 2017. The extremely stealthy Outlook backdoor receives commands by e-mail, and also exfiltrates data by e-mail via PDF attachments. To do this, it uses the legitimate Microsoft Outlook application installed on the infected computer.
comment: Outlook
target-location: Germany
target-location: France
datetime: 2015-12-31T23:00:00+00:00
datetime: 2018-08-21T22:00:00+00:00
link: https://www.welivesecurity.com/2018/08/22/turla-unique-outlook-backdoor/
link: https://www.virustotal.com/file/e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b/analysis/1535552262/
text: 48/65
text: Bkav (1.3.0.8876) Detection: No detection MicroWorld-eScan (14.0.297.0) Detection: Trojan.GenericKD.1592844 CMC (1.1.0.977) Detection: No detection CAT-QuickHeal (14.00) Detection: Trojan.Turla McAfee (6.0.6.653) Detection: Trojan-FDTA!7009AF646C6C Cylance (2.3.1.101) Detection: Unsafe Zillya (2.0.0.3626) Detection: Trojan.Turla.Win32.32 TheHacker (6.8.0.5.3634) Detection: No detection K7GW (10.61.28222) Detection: Trojan ( 00461fd31 ) K7AntiVirus (10.61.28220) Detection: Trojan ( 00461fd31 ) TrendMicro (10.0.0.1040) Detection: BKDR_TURLA.YKV Baidu (1.0.0.2) Detection: No detection Babable (9107201) Detection: No detection Cyren (6.0.0.4) Detection: W32/Trojan.WMSS-2180 Symantec (1.7.0.0) Detection: Trojan.Turla ESET-NOD32 (17963) Detection: Win32/Turla.N TrendMicro-HouseCall (9.950.0.1006) Detection: BKDR_TURLA.YKV Paloalto (1.0) Detection: generic.ml ClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0 Kaspersky (15.0.1.13) Detection: HEUR:Trojan.Win32.Turla.gen BitDefender (7.2) Detection: Trojan.GenericKD.1592844 NANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.dflvwp ViRobot (2014.3.20.0) Detection: No detection AegisLab (4.2) Detection: Trojan.Win32.Turla.m!c Avast (18.4.3895.0) Detection: Win32:Turla-P [Trj] Rising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (TFE:6:kpEFpblqr3J) Endgame (3.0.1) Detection: No detection Sophos (4.98.0) Detection: Troj/Turla-F Comodo (None) Detection: No detection F-Secure (11.0.19100.45) Detection: Trojan.GenericKD.1592844 DrWeb (7.0.33.6080) Detection: BackDoor.Turla.27 VIPRE (69182) Detection: Trojan.Win32.Generic!BT Invincea (6.3.5.26121) Detection: No detection McAfee-GW-Edition (v2017.3010) Detection: Trojan-FDTA!7009AF646C6C Emsisoft (2018.4.0.1029) Detection: Trojan.GenericKD.1592844 (B) SentinelOne (1.0.17.227) Detection: No detection F-Prot (4.7.1.166) Detection: W32/Turla.H Jiangmin (16.0.100) Detection: Backdoor/Turla.b Webroot (1.0.0.403) Detection: W32.Trojan.GenKD Avira (8.3.3.6) Detection: TR/Rogue.290816.12 MAX (2017.11.15.1) Detection: malware (ai score=83) Antiy-AVL (3.0.0.1) Detection: Trojan/Win32.SGeneric Kingsoft (2013.8.14.323) Detection: Win32.Troj.Generic.a.(kcloud) Microsoft (1.1.15200.1) Detection: Trojan:Win32/Turla!dha Arcabit (1.0.0.833) Detection: Trojan.Generic.D184E0C SUPERAntiSpyware (5.6.0.1032) Detection: No detection ZoneAlarm (1.0) Detection: HEUR:Trojan.Win32.Turla.gen Avast-Mobile (180828-12) Detection: No detection GData (A:25.18286B:25.13082) Detection: Win32.Trojan.Jyuqet.A@gen AhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Turla.C341973 VBA32 (3.33.0) Detection: BScope.Trojan.Bitrep AVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT TACHYON (2018-08-29.02) Detection: No detection Ad-Aware (3.0.5.370) Detection: Trojan.GenericKD.1592844 Malwarebytes (2.1.1.1115) Detection: No detection Zoner (1.0) Detection: No detection Tencent (1.0.0.1) Detection: Win32.Trojan.Url.Tiir Yandex (5.5.1.3) Detection: Trojan.Turla!rVc9OA48pYU Ikarus (0.1.5.2) Detection: Trojan.SuspectCRC eGambit (None) Detection: No detection Fortinet (5.4.247.0) Detection: W32/Turla.N!tr AVG (18.4.3895.0) Detection: Win32:Turla-P [Trj] Panda (4.6.4.2) Detection: Trj/Genetic.gen CrowdStrike (1.0) Detection: No detection Qihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.2f9
datetime: 2018-08-29T14:17:42
hash: 7009af646c6c3e6abc0af744152ca968
hash: 8a7e2399a61ec025c15d06ecdd9b7b37d6245ec2
hash: e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b
link: https://www.virustotal.com/file/6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f/analysis/1535608377/
text: 44/65
text: Bkav (1.3.0.8876) Detection: No detection MicroWorld-eScan (14.0.297.0) Detection: Trojan.Generic.21818445 CMC (1.1.0.977) Detection: No detection CAT-QuickHeal (14.00) Detection: Trojan.Turla McAfee (6.0.6.653) Detection: RDN/Generic.com Cylance (2.3.1.101) Detection: Unsafe TheHacker (6.8.0.5.3634) Detection: No detection K7GW (10.61.28228) Detection: Trojan ( 004fb2be1 ) K7AntiVirus (10.61.28226) Detection: Trojan ( 004fb2be1 ) TrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18 Baidu (1.0.0.2) Detection: No detection Babable (9107201) Detection: No detection F-Prot (4.7.1.166) Detection: W32/Turla.I Symantec (1.7.0.0) Detection: Trojan.Gen.2 ESET-NOD32 (17964) Detection: a variant of Win32/Turla.R TrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18 Paloalto (1.0) Detection: generic.ml ClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0 Kaspersky (15.0.1.13) Detection: Trojan.Win32.Turla.ak BitDefender (7.2) Detection: Trojan.Generic.21818445 NANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.enykkt ViRobot (2014.3.20.0) Detection: No detection SUPERAntiSpyware (5.6.0.1032) Detection: No detection Avast (18.4.3895.0) Detection: Win32:Malware-gen Tencent (1.0.0.1) Detection: Win32.Trojan.Turla.Lqey Ad-Aware (3.0.5.370) Detection: Trojan.Generic.21818445 Sophos (4.98.0) Detection: Mal/Generic-S Comodo (None) Detection: No detection F-Secure (11.0.19100.45) Detection: Trojan.Generic.21818445 DrWeb (7.0.33.6080) Detection: BackDoor.Turla.111 VIPRE (69200) Detection: No detection Invincea (6.3.5.26121) Detection: heuristic McAfee-GW-Edition (v2017.3010) Detection: RDN/Generic.com Emsisoft (2018.4.0.1029) Detection: Trojan.Generic.21818445 (B) SentinelOne (1.0.17.227) Detection: No detection Cyren (6.0.0.4) Detection: W32/Trojan.XKJO-4284 Jiangmin (16.0.100) Detection: No detection Webroot (1.0.0.403) Detection: No detection Avira (8.3.3.6) Detection: TR/AD.Turla.ckypp Antiy-AVL (3.0.0.1) Detection: No detection Kingsoft (2013.8.14.323) Detection: No detection Microsoft (1.1.15200.1) Detection: Trojan:Win32/Occamy.C Endgame (3.0.1) Detection: No detection Arcabit (1.0.0.833) Detection: Trojan.Generic.D14CEC4D AegisLab (4.2) Detection: Trojan.Win32.Turla.4!c ZoneAlarm (1.0) Detection: Trojan.Win32.Turla.ak Avast-Mobile (180828-12) Detection: No detection GData (A:25.18288B:25.13086) Detection: Trojan.Generic.21818445 TACHYON (2018-08-29.02) Detection: Trojan/W32.Turla.388096 AhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Occamy.C2678124 ALYac (1.1.1.5) Detection: Trojan.Turla.Gen AVware (1.6.0.52) Detection: No detection MAX (2017.11.15.1) Detection: malware (ai score=100) VBA32 (3.33.0) Detection: BScope.Trojan.Bitrep Malwarebytes (2.1.1.1115) Detection: No detection Zoner (1.0) Detection: No detection Rising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (CLOUD) Yandex (5.5.1.3) Detection: Trojan.Turla!WCZg2q7ERNg Ikarus (0.1.5.2) Detection: Trojan.Win32.Turla eGambit (None) Detection: No detection Fortinet (5.4.247.0) Detection: W32/Turla.AK!tr AVG (18.4.3895.0) Detection: Win32:Malware-gen Panda (4.6.4.2) Detection: Trj/GdSda.A CrowdStrike (1.0) Detection: No detection Qihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.de0
datetime: 2018-08-30T05:52:57
hash: af8889f4705145d4390ee8d581f45436
hash: cf943895684c6ff8d1e922a76b71a188cfb371d7
hash: 6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f
hash: 851dffa6cd611dc70c9a0d5b487ff00bc3853f30
link: https://www.virustotal.com/file/881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867/analysis/1535536658/
text: 48/67
text: Bkav (1.3.0.8876) Detection: W32.eHeur.Malware10 MicroWorld-eScan (14.0.297.0) Detection: Gen:Variant.Zusy.258575 CMC (1.1.0.977) Detection: No detection CAT-QuickHeal (14.00) Detection: TrojanSpy.Agent McAfee (6.0.6.653) Detection: GenericRXCJ-OD!FF8C3F362D7C Cylance (2.3.1.101) Detection: Unsafe Zillya (2.0.0.3626) Detection: No detection TheHacker (6.8.0.5.3634) Detection: No detection K7GW (10.61.28216) Detection: Trojan ( 005097051 ) K7AntiVirus (10.61.28217) Detection: Trojan ( 005097051 ) Arcabit (1.0.0.833) Detection: Trojan.Zusy.D3F20F TrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18 Baidu (1.0.0.2) Detection: No detection Babable (9107201) Detection: No detection Cyren (6.0.0.4) Detection: W32/Trojan.AMKO-3554 Symantec (1.7.0.0) Detection: Trojan.Turla ESET-NOD32 (17962) Detection: Win32/Turla.AW TrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18 Avast (18.4.3895.0) Detection: Win32:Malware-gen ClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657713-1 Kaspersky (15.0.1.13) Detection: Trojan-Spy.Win32.Agent.dewe BitDefender (7.2) Detection: Gen:Variant.Zusy.258575 NANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Agent.enbjod ViRobot (2014.3.20.0) Detection: No detection AegisLab (4.2) Detection: Troj.W32.Gen.lJ0K Rising (25.0.0.24) Detection: Spyware.Agent!8.C6 (CLOUD) Ad-Aware (3.0.5.370) Detection: Gen:Variant.Zusy.258575 Emsisoft (2018.4.0.1029) Detection: Gen:Variant.Zusy.258575 (B) Comodo (None) Detection: No detection F-Secure (11.0.19100.45) Detection: Gen:Variant.Zusy.258575 DrWeb (7.0.33.6080) Detection: Trojan.MulDrop7.22438 VIPRE (69176) Detection: Trojan.Win32.Generic!BT Invincea (6.3.5.26121) Detection: heuristic McAfee-GW-Edition (v2017.3010) Detection: BehavesLike.Win32.Generic.hc Sophos (4.98.0) Detection: Mal/Generic-S SentinelOne (1.0.17.227) Detection: No detection F-Prot (4.7.1.166) Detection: W32/Turla.G Jiangmin (16.0.100) Detection: No detection Webroot (1.0.0.403) Detection: No detection Avira (8.3.3.6) Detection: TR/Crypt.ZPACK.gpbbw Antiy-AVL (3.0.0.1) Detection: No detection Kingsoft (2013.8.14.323) Detection: No detection Endgame (3.0.1) Detection: malicious (high confidence) Microsoft (1.1.15200.1) Detection: TrojanSpy:Win32/Skeeyah.A!rfn SUPERAntiSpyware (5.6.0.1032) Detection: No detection ZoneAlarm (1.0) Detection: Trojan-Spy.Win32.Agent.dewe Avast-Mobile (180828-12) Detection: No detection GData (A:25.18285B:25.13082) Detection: Gen:Variant.Zusy.258575 TACHYON (2018-08-29.02) Detection: No detection AhnLab-V3 (3.13.1.21616) Detection: No detection ALYac (1.1.1.5) Detection: Trojan.Turla.Gen AVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT MAX (2017.11.15.1) Detection: malware (ai score=100) VBA32 (3.33.0) Detection: TrojanSpy.Agent Malwarebytes (2.1.1.1115) Detection: No detection Panda (4.6.4.2) Detection: Trj/GdSda.A Zoner (1.0) Detection: No detection Tencent (1.0.0.1) Detection: Win32.Trojan-spy.Agent.Egye Yandex (5.5.1.3) Detection: TrojanSpy.Agent!7mlehJopBxA Ikarus (0.1.5.2) Detection: Trojan.Win32.Turla eGambit (None) Detection: No detection Fortinet (5.4.247.0) Detection: Generik.KSPWBSP!tr AVG (18.4.3895.0) Detection: Win32:Malware-gen Cybereason (1.2.27) Detection: malicious.62d7c9 Paloalto (1.0) Detection: generic.ml CrowdStrike (1.0) Detection: malicious_confidence_70% (D) Qihoo-360 (1.0.0.1120) Detection: Win32/Trojan.d45
datetime: 2018-08-29T09:57:38
hash: ff8c3f362d7c9b9a19cfa09b4b3cfc75
hash: f992abe8a67120667a01b88cd5bf11ca39d491a0
hash: 881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867

Turla Outlook White Paper

Severity: high

Type: unknown

Turla Outlook White Paper

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Germany, France, United Kingdom, Netherlands, Belgium, Switzerland

Indicators of Compromise

file: %appdata%\Microsoft\Windows\scawrdot.db
file: %appdata%\Microsoft\Windows\flobcsnd.dat
file: mapid.tlb
file: msmime.dll
regkey: HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}
regkey: HKCU\Software\Classes\CLSID\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}
regkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\ZonePolicy\
url: https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf
link: https://github.com/eset/malware-ioc/tree/master/turla
file: Eset-Turla-Outlook-Backdoor.pdf
yara: rule turla_outlook_log { meta: author = "ESET Research" date = "22-08-2018" description = "First bytes of the encrypted Turla Outlook logs" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: //Log begin: [...] TVer $s1 = {01 87 C9 75 C8 69 98 AC E0 C9 7B [21] EB BB 60 BB 5A} condition: $s1 at 0 }
yara: rule outlook_misty1 { meta: author = "ESET Research" date = "22-08-2018" description = "Detects the Turla MISTY1 implementation" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: //and edi, 1FFh $o1 = {81 E7 FF 01 00 00} //shl ecx, 9 $s1 = {C1 E1 09} //xor ax, si $s2 = {66 33 C6} //shr eax, 7 $s3 = {C1 E8 07} $o2 = {8B 11 8D 04 1F 50 03 D3 8D 4D C4} condition: $o2 and for all i in (1..#o1): (for all of ($s*) : ($ in (@o1[i] -500 ..@o1[i] + 500))) }
yara: rule turla_outlook_gen { meta: author = "ESET Research" date = "22-08-2018" description = "Turla Outlook malware" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: $s1 = "Outlook" ascii wide $s2 = "Outlook Express" ascii wide $s3 = "Outlook watchdog" ascii wide $s4 = "Software\\RIT\\The Bat!" ascii wide $s5 = "Mail Event Window" ascii wide $s6 = "Software\\Mozilla\\Mozilla Thunderbird\\Profiles" ascii wide $s7 = "%%PDF-1.4\n%%%c%c\n" ascii wide $s8 = "%Y-%m-%dT%H:%M:%S+0000" ascii wide $s9 = "rctrl_renwnd32" ascii wide $s10 = "NetUIHWND" ascii wide $s11 = "homePostalAddress" ascii wide $s12 = "/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=" ascii wide $s13 = "Re:|FWD:|AW:|FYI:|NT|QUE:" ascii wide $s14 = "IPM.Note" ascii wide $s15 = "MAPILogonEx" ascii wide $s16 = "pipe\\The Bat! %d CmdLine" ascii wide $s17 = "PowerShellRunner.dll" ascii wide $s18 = "cmd container" ascii wide $s19 = "mapid.tlb" ascii wide nocase $s20 = "Content-Type: F)*+" ascii wide fullword condition: 5 of them }
yara: import "pe"rule turla_outlook_exports { meta: author = "ESET Research" date = "22-08-2018" description = "Export names of Turla Outlook Malware" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" condition: (pe.exports("install") or pe.exports("Install")) and pe.exports("TBP_Initialize") and pe.exports("TBP_Finalize") and pe.exports("TBP_GetName") and pe.exports("DllRegisterServer") and pe.exports("DllGetClassObject") }
yara: rule turla_outlook_filenames { meta: author = "ESET Research" date = "22-08-2018" description = "Turla Outlook filenames" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: $s1 = "mapid.tlb" $s2 = "msmime.dll" $s3 = "scawrdot.db" condition: any of them }
yara: rule turla_outlook_pdf { meta: author = "ESET Research" date = "22-08-2018" description = "Detect PDF documents generated by Turla Outlook malware" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: $s1 = "Adobe PDF Library 9.0" ascii wide nocase $s2 = "Acrobat PDFMaker 9.0" ascii wide nocase $s3 = {FF D8 FF E0 00 10 4A 46 49 46} $s4 = {00 3F 00 FD FC A2 8A 28 03 FF D9} $s5 = "W5M0MpCehiHzreSzNTczkc9d" ascii wide nocase $s6 = "PDF-1.4" ascii wide nocase condition: 5 of them }
text: Turla
link: https://wws.cert-ist.com/private/fr/IocAttack_details?format=html&objectType=ATK&ref=CERT-IST/ATK-2017-023
comment: Snake
comment: Uroburos
comment: Venomous Bear
comment: KRYPTON
comment: Waterbug
comment: WhiteBear
comment: these IOCs originate in a report by ESET regarding the OUtlook backdoor used in an attack against European government institutions in 2016 and 2017. The extremely stealthy Outlook backdoor receives commands by e-mail, and also exfiltrates data by e-mail via PDF attachments. To do this, it uses the legitimate Microsoft Outlook application installed on the infected computer.
comment: Outlook
target-location: Germany
target-location: France
datetime: 2015-12-31T23:00:00+00:00
datetime: 2018-08-21T22:00:00+00:00
link: https://www.welivesecurity.com/2018/08/22/turla-unique-outlook-backdoor/
link: https://www.virustotal.com/file/e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b/analysis/1535552262/
text: 48/65
text: Bkav (1.3.0.8876) Detection: No detection MicroWorld-eScan (14.0.297.0) Detection: Trojan.GenericKD.1592844 CMC (1.1.0.977) Detection: No detection CAT-QuickHeal (14.00) Detection: Trojan.Turla McAfee (6.0.6.653) Detection: Trojan-FDTA!7009AF646C6C Cylance (2.3.1.101) Detection: Unsafe Zillya (2.0.0.3626) Detection: Trojan.Turla.Win32.32 TheHacker (6.8.0.5.3634) Detection: No detection K7GW (10.61.28222) Detection: Trojan ( 00461fd31 ) K7AntiVirus (10.61.28220) Detection: Trojan ( 00461fd31 ) TrendMicro (10.0.0.1040) Detection: BKDR_TURLA.YKV Baidu (1.0.0.2) Detection: No detection Babable (9107201) Detection: No detection Cyren (6.0.0.4) Detection: W32/Trojan.WMSS-2180 Symantec (1.7.0.0) Detection: Trojan.Turla ESET-NOD32 (17963) Detection: Win32/Turla.N TrendMicro-HouseCall (9.950.0.1006) Detection: BKDR_TURLA.YKV Paloalto (1.0) Detection: generic.ml ClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0 Kaspersky (15.0.1.13) Detection: HEUR:Trojan.Win32.Turla.gen BitDefender (7.2) Detection: Trojan.GenericKD.1592844 NANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.dflvwp ViRobot (2014.3.20.0) Detection: No detection AegisLab (4.2) Detection: Trojan.Win32.Turla.m!c Avast (18.4.3895.0) Detection: Win32:Turla-P [Trj] Rising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (TFE:6:kpEFpblqr3J) Endgame (3.0.1) Detection: No detection Sophos (4.98.0) Detection: Troj/Turla-F Comodo (None) Detection: No detection F-Secure (11.0.19100.45) Detection: Trojan.GenericKD.1592844 DrWeb (7.0.33.6080) Detection: BackDoor.Turla.27 VIPRE (69182) Detection: Trojan.Win32.Generic!BT Invincea (6.3.5.26121) Detection: No detection McAfee-GW-Edition (v2017.3010) Detection: Trojan-FDTA!7009AF646C6C Emsisoft (2018.4.0.1029) Detection: Trojan.GenericKD.1592844 (B) SentinelOne (1.0.17.227) Detection: No detection F-Prot (4.7.1.166) Detection: W32/Turla.H Jiangmin (16.0.100) Detection: Backdoor/Turla.b Webroot (1.0.0.403) Detection: W32.Trojan.GenKD Avira (8.3.3.6) Detection: TR/Rogue.290816.12 MAX (2017.11.15.1) Detection: malware (ai score=83) Antiy-AVL (3.0.0.1) Detection: Trojan/Win32.SGeneric Kingsoft (2013.8.14.323) Detection: Win32.Troj.Generic.a.(kcloud) Microsoft (1.1.15200.1) Detection: Trojan:Win32/Turla!dha Arcabit (1.0.0.833) Detection: Trojan.Generic.D184E0C SUPERAntiSpyware (5.6.0.1032) Detection: No detection ZoneAlarm (1.0) Detection: HEUR:Trojan.Win32.Turla.gen Avast-Mobile (180828-12) Detection: No detection GData (A:25.18286B:25.13082) Detection: Win32.Trojan.Jyuqet.A@gen AhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Turla.C341973 VBA32 (3.33.0) Detection: BScope.Trojan.Bitrep AVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT TACHYON (2018-08-29.02) Detection: No detection Ad-Aware (3.0.5.370) Detection: Trojan.GenericKD.1592844 Malwarebytes (2.1.1.1115) Detection: No detection Zoner (1.0) Detection: No detection Tencent (1.0.0.1) Detection: Win32.Trojan.Url.Tiir Yandex (5.5.1.3) Detection: Trojan.Turla!rVc9OA48pYU Ikarus (0.1.5.2) Detection: Trojan.SuspectCRC eGambit (None) Detection: No detection Fortinet (5.4.247.0) Detection: W32/Turla.N!tr AVG (18.4.3895.0) Detection: Win32:Turla-P [Trj] Panda (4.6.4.2) Detection: Trj/Genetic.gen CrowdStrike (1.0) Detection: No detection Qihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.2f9
datetime: 2018-08-29T14:17:42
hash: 7009af646c6c3e6abc0af744152ca968
hash: 8a7e2399a61ec025c15d06ecdd9b7b37d6245ec2
hash: e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b
link: https://www.virustotal.com/file/6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f/analysis/1535608377/
text: 44/65
text: Bkav (1.3.0.8876) Detection: No detection MicroWorld-eScan (14.0.297.0) Detection: Trojan.Generic.21818445 CMC (1.1.0.977) Detection: No detection CAT-QuickHeal (14.00) Detection: Trojan.Turla McAfee (6.0.6.653) Detection: RDN/Generic.com Cylance (2.3.1.101) Detection: Unsafe TheHacker (6.8.0.5.3634) Detection: No detection K7GW (10.61.28228) Detection: Trojan ( 004fb2be1 ) K7AntiVirus (10.61.28226) Detection: Trojan ( 004fb2be1 ) TrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18 Baidu (1.0.0.2) Detection: No detection Babable (9107201) Detection: No detection F-Prot (4.7.1.166) Detection: W32/Turla.I Symantec (1.7.0.0) Detection: Trojan.Gen.2 ESET-NOD32 (17964) Detection: a variant of Win32/Turla.R TrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18 Paloalto (1.0) Detection: generic.ml ClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0 Kaspersky (15.0.1.13) Detection: Trojan.Win32.Turla.ak BitDefender (7.2) Detection: Trojan.Generic.21818445 NANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.enykkt ViRobot (2014.3.20.0) Detection: No detection SUPERAntiSpyware (5.6.0.1032) Detection: No detection Avast (18.4.3895.0) Detection: Win32:Malware-gen Tencent (1.0.0.1) Detection: Win32.Trojan.Turla.Lqey Ad-Aware (3.0.5.370) Detection: Trojan.Generic.21818445 Sophos (4.98.0) Detection: Mal/Generic-S Comodo (None) Detection: No detection F-Secure (11.0.19100.45) Detection: Trojan.Generic.21818445 DrWeb (7.0.33.6080) Detection: BackDoor.Turla.111 VIPRE (69200) Detection: No detection Invincea (6.3.5.26121) Detection: heuristic McAfee-GW-Edition (v2017.3010) Detection: RDN/Generic.com Emsisoft (2018.4.0.1029) Detection: Trojan.Generic.21818445 (B) SentinelOne (1.0.17.227) Detection: No detection Cyren (6.0.0.4) Detection: W32/Trojan.XKJO-4284 Jiangmin (16.0.100) Detection: No detection Webroot (1.0.0.403) Detection: No detection Avira (8.3.3.6) Detection: TR/AD.Turla.ckypp Antiy-AVL (3.0.0.1) Detection: No detection Kingsoft (2013.8.14.323) Detection: No detection Microsoft (1.1.15200.1) Detection: Trojan:Win32/Occamy.C Endgame (3.0.1) Detection: No detection Arcabit (1.0.0.833) Detection: Trojan.Generic.D14CEC4D AegisLab (4.2) Detection: Trojan.Win32.Turla.4!c ZoneAlarm (1.0) Detection: Trojan.Win32.Turla.ak Avast-Mobile (180828-12) Detection: No detection GData (A:25.18288B:25.13086) Detection: Trojan.Generic.21818445 TACHYON (2018-08-29.02) Detection: Trojan/W32.Turla.388096 AhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Occamy.C2678124 ALYac (1.1.1.5) Detection: Trojan.Turla.Gen AVware (1.6.0.52) Detection: No detection MAX (2017.11.15.1) Detection: malware (ai score=100) VBA32 (3.33.0) Detection: BScope.Trojan.Bitrep Malwarebytes (2.1.1.1115) Detection: No detection Zoner (1.0) Detection: No detection Rising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (CLOUD) Yandex (5.5.1.3) Detection: Trojan.Turla!WCZg2q7ERNg Ikarus (0.1.5.2) Detection: Trojan.Win32.Turla eGambit (None) Detection: No detection Fortinet (5.4.247.0) Detection: W32/Turla.AK!tr AVG (18.4.3895.0) Detection: Win32:Malware-gen Panda (4.6.4.2) Detection: Trj/GdSda.A CrowdStrike (1.0) Detection: No detection Qihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.de0
datetime: 2018-08-30T05:52:57
hash: af8889f4705145d4390ee8d581f45436
hash: cf943895684c6ff8d1e922a76b71a188cfb371d7
hash: 6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f
hash: 851dffa6cd611dc70c9a0d5b487ff00bc3853f30
link: https://www.virustotal.com/file/881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867/analysis/1535536658/
text: 48/67
text: Bkav (1.3.0.8876) Detection: W32.eHeur.Malware10 MicroWorld-eScan (14.0.297.0) Detection: Gen:Variant.Zusy.258575 CMC (1.1.0.977) Detection: No detection CAT-QuickHeal (14.00) Detection: TrojanSpy.Agent McAfee (6.0.6.653) Detection: GenericRXCJ-OD!FF8C3F362D7C Cylance (2.3.1.101) Detection: Unsafe Zillya (2.0.0.3626) Detection: No detection TheHacker (6.8.0.5.3634) Detection: No detection K7GW (10.61.28216) Detection: Trojan ( 005097051 ) K7AntiVirus (10.61.28217) Detection: Trojan ( 005097051 ) Arcabit (1.0.0.833) Detection: Trojan.Zusy.D3F20F TrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18 Baidu (1.0.0.2) Detection: No detection Babable (9107201) Detection: No detection Cyren (6.0.0.4) Detection: W32/Trojan.AMKO-3554 Symantec (1.7.0.0) Detection: Trojan.Turla ESET-NOD32 (17962) Detection: Win32/Turla.AW TrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18 Avast (18.4.3895.0) Detection: Win32:Malware-gen ClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657713-1 Kaspersky (15.0.1.13) Detection: Trojan-Spy.Win32.Agent.dewe BitDefender (7.2) Detection: Gen:Variant.Zusy.258575 NANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Agent.enbjod ViRobot (2014.3.20.0) Detection: No detection AegisLab (4.2) Detection: Troj.W32.Gen.lJ0K Rising (25.0.0.24) Detection: Spyware.Agent!8.C6 (CLOUD) Ad-Aware (3.0.5.370) Detection: Gen:Variant.Zusy.258575 Emsisoft (2018.4.0.1029) Detection: Gen:Variant.Zusy.258575 (B) Comodo (None) Detection: No detection F-Secure (11.0.19100.45) Detection: Gen:Variant.Zusy.258575 DrWeb (7.0.33.6080) Detection: Trojan.MulDrop7.22438 VIPRE (69176) Detection: Trojan.Win32.Generic!BT Invincea (6.3.5.26121) Detection: heuristic McAfee-GW-Edition (v2017.3010) Detection: BehavesLike.Win32.Generic.hc Sophos (4.98.0) Detection: Mal/Generic-S SentinelOne (1.0.17.227) Detection: No detection F-Prot (4.7.1.166) Detection: W32/Turla.G Jiangmin (16.0.100) Detection: No detection Webroot (1.0.0.403) Detection: No detection Avira (8.3.3.6) Detection: TR/Crypt.ZPACK.gpbbw Antiy-AVL (3.0.0.1) Detection: No detection Kingsoft (2013.8.14.323) Detection: No detection Endgame (3.0.1) Detection: malicious (high confidence) Microsoft (1.1.15200.1) Detection: TrojanSpy:Win32/Skeeyah.A!rfn SUPERAntiSpyware (5.6.0.1032) Detection: No detection ZoneAlarm (1.0) Detection: Trojan-Spy.Win32.Agent.dewe Avast-Mobile (180828-12) Detection: No detection GData (A:25.18285B:25.13082) Detection: Gen:Variant.Zusy.258575 TACHYON (2018-08-29.02) Detection: No detection AhnLab-V3 (3.13.1.21616) Detection: No detection ALYac (1.1.1.5) Detection: Trojan.Turla.Gen AVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT MAX (2017.11.15.1) Detection: malware (ai score=100) VBA32 (3.33.0) Detection: TrojanSpy.Agent Malwarebytes (2.1.1.1115) Detection: No detection Panda (4.6.4.2) Detection: Trj/GdSda.A Zoner (1.0) Detection: No detection Tencent (1.0.0.1) Detection: Win32.Trojan-spy.Agent.Egye Yandex (5.5.1.3) Detection: TrojanSpy.Agent!7mlehJopBxA Ikarus (0.1.5.2) Detection: Trojan.Win32.Turla eGambit (None) Detection: No detection Fortinet (5.4.247.0) Detection: Generik.KSPWBSP!tr AVG (18.4.3895.0) Detection: Win32:Malware-gen Cybereason (1.2.27) Detection: malicious.62d7c9 Paloalto (1.0) Detection: generic.ml CrowdStrike (1.0) Detection: malicious_confidence_70% (D) Qihoo-360 (1.0.0.1120) Detection: Win32/Trojan.d45
datetime: 2018-08-29T09:57:38
hash: ff8c3f362d7c9b9a19cfa09b4b3cfc75
hash: f992abe8a67120667a01b88cd5bf11ca39d491a0
hash: 881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867

Source: CIRCL OSINT Feed

Published: Fri Aug 17 2018

Turla Outlook White Paper

High

Unknownmisp-galaxy:threat-actor="turla group"misp-galaxy:mitre-attack-pattern="component object model hijacking"misp-galaxy:mitre-attack-pattern="email collection"misp-galaxy:mitre-enterprise-attack-attack-pattern="component object model hijacking - t1122"misp-galaxy:mitre-enterprise-attack-attack-pattern="email collection - t1114"tlp:white type:osint osint:lifetime="perpetual"osint:certainty="50"cert-ist:threat_targeted_sector="academic and research"cert-ist:threat_targeted_sector="gov"cert-ist:threat_targeted_region="western europe"cert-ist:enriched cert-ist:ioc_accuracy="medium"cert-ist:threat_level="medium"cert-ist:threat_type="apt"tlp:amber br_cti_investigar osint:source-type="block-or-filter-list"

Published: Fri Aug 17 2018 (08/17/2018, 00:00:00 UTC)

Source: CIRCL OSINT Feed

Vendor/Project: tlp

Product: white

Description

Turla Outlook White Paper

AI-Powered Analysis

AILast updated: 01/17/2026, 08:02:20 UTC

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Need more detailed analysis?Upgrade to Pro Console

Technical Details

Uuid: 5b773e07-e694-458b-b99c-27f30a016219
Original Timestamp: 1750309209

Indicators of Compromise

File

Value	Description	Copy
file%appdata%\Microsoft\Windows\scawrdot.db	—
file%appdata%\Microsoft\Windows\flobcsnd.dat	—
filemapid.tlb	—
filemsmime.dll	—
fileEset-Turla-Outlook-Backdoor.pdf	https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf

Regkey

Value	Description	Copy
regkeyHKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}	COM hijacking
regkeyHKCU\Software\Classes\CLSID\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}	COM hijacking
regkeyHKCU\Software\Microsoft\Windows\CurrentVersion\Settings\ZonePolicy\	Virtual File System

Url

Value	Description	Copy
urlhttps://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf	White Paper

Link

Value	Description	Copy
linkhttps://github.com/eset/malware-ioc/tree/master/turla	—
linkhttps://wws.cert-ist.com/private/fr/IocAttack_details?format=html&objectType=ATK&ref=CERT-IST/ATK-2017-023	Cert-IST External link
linkhttps://www.welivesecurity.com/2018/08/22/turla-unique-outlook-backdoor/	—
linkhttps://www.virustotal.com/file/e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b/analysis/1535552262/	—
linkhttps://www.virustotal.com/file/6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f/analysis/1535608377/	—
linkhttps://www.virustotal.com/file/881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867/analysis/1535536658/	—

Yara

Value	Description	Copy
yararule turla_outlook_log { meta: author = "ESET Research" date = "22-08-2018" description = "First bytes of the encrypted Turla Outlook logs" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: //Log begin: [...] TVer $s1 = {01 87 C9 75 C8 69 98 AC E0 C9 7B [21] EB BB 60 BB 5A} condition: $s1 at 0 }	Merged from event 11961
yararule outlook_misty1 { meta: author = "ESET Research" date = "22-08-2018" description = "Detects the Turla MISTY1 implementation" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: //and edi, 1FFh $o1 = {81 E7 FF 01 00 00} //shl ecx, 9 $s1 = {C1 E1 09} //xor ax, si $s2 = {66 33 C6} //shr eax, 7 $s3 = {C1 E8 07} $o2 = {8B 11 8D 04 1F 50 03 D3 8D 4D C4} condition: $o2 and for all i in (1..#o1): (for all of ($s*) : ($ in (@o1[i] -500 ..@o1[i] + 500))) }	Merged from event 11961
yararule turla_outlook_gen { meta: author = "ESET Research" date = "22-08-2018" description = "Turla Outlook malware" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: $s1 = "Outlook" ascii wide $s2 = "Outlook Express" ascii wide $s3 = "Outlook watchdog" ascii wide $s4 = "Software\\RIT\\The Bat!" ascii wide $s5 = "Mail Event Window" ascii wide $s6 = "Software\\Mozilla\\Mozilla Thunderbird\\Profiles" ascii wide $s7 = "%%PDF-1.4\n%%%c%c\n" ascii wide $s8 = "%Y-%m-%dT%H:%M:%S+0000" ascii wide $s9 = "rctrl_renwnd32" ascii wide $s10 = "NetUIHWND" ascii wide $s11 = "homePostalAddress" ascii wide $s12 = "/EXPORT;OVERRIDE;START=-%d;END=-%d;FOLDER=%s;OUT=" ascii wide $s13 = "Re:\|FWD:\|AW:\|FYI:\|NT\|QUE:" ascii wide $s14 = "IPM.Note" ascii wide $s15 = "MAPILogonEx" ascii wide $s16 = "pipe\\The Bat! %d CmdLine" ascii wide $s17 = "PowerShellRunner.dll" ascii wide $s18 = "cmd container" ascii wide $s19 = "mapid.tlb" ascii wide nocase $s20 = "Content-Type: F)*+" ascii wide fullword condition: 5 of them }	Merged from event 11961
yaraimport "pe"rule turla_outlook_exports { meta: author = "ESET Research" date = "22-08-2018" description = "Export names of Turla Outlook Malware" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" condition: (pe.exports("install") or pe.exports("Install")) and pe.exports("TBP_Initialize") and pe.exports("TBP_Finalize") and pe.exports("TBP_GetName") and pe.exports("DllRegisterServer") and pe.exports("DllGetClassObject") }	Merged from event 11961
yararule turla_outlook_filenames { meta: author = "ESET Research" date = "22-08-2018" description = "Turla Outlook filenames" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: $s1 = "mapid.tlb" $s2 = "msmime.dll" $s3 = "scawrdot.db" condition: any of them }	Merged from event 11961
yararule turla_outlook_pdf { meta: author = "ESET Research" date = "22-08-2018" description = "Detect PDF documents generated by Turla Outlook malware" reference = "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf" source = "https://github.com/eset/malware-ioc/" contact = "github@eset.com" license = "BSD 2-Clause" strings: $s1 = "Adobe PDF Library 9.0" ascii wide nocase $s2 = "Acrobat PDFMaker 9.0" ascii wide nocase $s3 = {FF D8 FF E0 00 10 4A 46 49 46} $s4 = {00 3F 00 FD FC A2 8A 28 03 FF D9} $s5 = "W5M0MpCehiHzreSzNTczkc9d" ascii wide nocase $s6 = "PDF-1.4" ascii wide nocase condition: 5 of them }	Merged from event 11961

Text

Value	Description	Copy
textTurla	Cert-IST Attack name
text48/65	—
textBkav (1.3.0.8876) Detection: No detection MicroWorld-eScan (14.0.297.0) Detection: Trojan.GenericKD.1592844 CMC (1.1.0.977) Detection: No detection CAT-QuickHeal (14.00) Detection: Trojan.Turla McAfee (6.0.6.653) Detection: Trojan-FDTA!7009AF646C6C Cylance (2.3.1.101) Detection: Unsafe Zillya (2.0.0.3626) Detection: Trojan.Turla.Win32.32 TheHacker (6.8.0.5.3634) Detection: No detection K7GW (10.61.28222) Detection: Trojan ( 00461fd31 ) K7AntiVirus (10.61.28220) Detection: Trojan ( 00461fd31 ) TrendMicro (10.0.0.1040) Detection: BKDR_TURLA.YKV Baidu (1.0.0.2) Detection: No detection Babable (9107201) Detection: No detection Cyren (6.0.0.4) Detection: W32/Trojan.WMSS-2180 Symantec (1.7.0.0) Detection: Trojan.Turla ESET-NOD32 (17963) Detection: Win32/Turla.N TrendMicro-HouseCall (9.950.0.1006) Detection: BKDR_TURLA.YKV Paloalto (1.0) Detection: generic.ml ClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0 Kaspersky (15.0.1.13) Detection: HEUR:Trojan.Win32.Turla.gen BitDefender (7.2) Detection: Trojan.GenericKD.1592844 NANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.dflvwp ViRobot (2014.3.20.0) Detection: No detection AegisLab (4.2) Detection: Trojan.Win32.Turla.m!c Avast (18.4.3895.0) Detection: Win32:Turla-P [Trj] Rising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (TFE:6:kpEFpblqr3J) Endgame (3.0.1) Detection: No detection Sophos (4.98.0) Detection: Troj/Turla-F Comodo (None) Detection: No detection F-Secure (11.0.19100.45) Detection: Trojan.GenericKD.1592844 DrWeb (7.0.33.6080) Detection: BackDoor.Turla.27 VIPRE (69182) Detection: Trojan.Win32.Generic!BT Invincea (6.3.5.26121) Detection: No detection McAfee-GW-Edition (v2017.3010) Detection: Trojan-FDTA!7009AF646C6C Emsisoft (2018.4.0.1029) Detection: Trojan.GenericKD.1592844 (B) SentinelOne (1.0.17.227) Detection: No detection F-Prot (4.7.1.166) Detection: W32/Turla.H Jiangmin (16.0.100) Detection: Backdoor/Turla.b Webroot (1.0.0.403) Detection: W32.Trojan.GenKD Avira (8.3.3.6) Detection: TR/Rogue.290816.12 MAX (2017.11.15.1) Detection: malware (ai score=83) Antiy-AVL (3.0.0.1) Detection: Trojan/Win32.SGeneric Kingsoft (2013.8.14.323) Detection: Win32.Troj.Generic.a.(kcloud) Microsoft (1.1.15200.1) Detection: Trojan:Win32/Turla!dha Arcabit (1.0.0.833) Detection: Trojan.Generic.D184E0C SUPERAntiSpyware (5.6.0.1032) Detection: No detection ZoneAlarm (1.0) Detection: HEUR:Trojan.Win32.Turla.gen Avast-Mobile (180828-12) Detection: No detection GData (A:25.18286B:25.13082) Detection: Win32.Trojan.Jyuqet.A@gen AhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Turla.C341973 VBA32 (3.33.0) Detection: BScope.Trojan.Bitrep AVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT TACHYON (2018-08-29.02) Detection: No detection Ad-Aware (3.0.5.370) Detection: Trojan.GenericKD.1592844 Malwarebytes (2.1.1.1115) Detection: No detection Zoner (1.0) Detection: No detection Tencent (1.0.0.1) Detection: Win32.Trojan.Url.Tiir Yandex (5.5.1.3) Detection: Trojan.Turla!rVc9OA48pYU Ikarus (0.1.5.2) Detection: Trojan.SuspectCRC eGambit (None) Detection: No detection Fortinet (5.4.247.0) Detection: W32/Turla.N!tr AVG (18.4.3895.0) Detection: Win32:Turla-P [Trj] Panda (4.6.4.2) Detection: Trj/Genetic.gen CrowdStrike (1.0) Detection: No detection Qihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.2f9	—
text44/65	—
textBkav (1.3.0.8876) Detection: No detection MicroWorld-eScan (14.0.297.0) Detection: Trojan.Generic.21818445 CMC (1.1.0.977) Detection: No detection CAT-QuickHeal (14.00) Detection: Trojan.Turla McAfee (6.0.6.653) Detection: RDN/Generic.com Cylance (2.3.1.101) Detection: Unsafe TheHacker (6.8.0.5.3634) Detection: No detection K7GW (10.61.28228) Detection: Trojan ( 004fb2be1 ) K7AntiVirus (10.61.28226) Detection: Trojan ( 004fb2be1 ) TrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18 Baidu (1.0.0.2) Detection: No detection Babable (9107201) Detection: No detection F-Prot (4.7.1.166) Detection: W32/Turla.I Symantec (1.7.0.0) Detection: Trojan.Gen.2 ESET-NOD32 (17964) Detection: a variant of Win32/Turla.R TrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18 Paloalto (1.0) Detection: generic.ml ClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657767-0 Kaspersky (15.0.1.13) Detection: Trojan.Win32.Turla.ak BitDefender (7.2) Detection: Trojan.Generic.21818445 NANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Turla.enykkt ViRobot (2014.3.20.0) Detection: No detection SUPERAntiSpyware (5.6.0.1032) Detection: No detection Avast (18.4.3895.0) Detection: Win32:Malware-gen Tencent (1.0.0.1) Detection: Win32.Trojan.Turla.Lqey Ad-Aware (3.0.5.370) Detection: Trojan.Generic.21818445 Sophos (4.98.0) Detection: Mal/Generic-S Comodo (None) Detection: No detection F-Secure (11.0.19100.45) Detection: Trojan.Generic.21818445 DrWeb (7.0.33.6080) Detection: BackDoor.Turla.111 VIPRE (69200) Detection: No detection Invincea (6.3.5.26121) Detection: heuristic McAfee-GW-Edition (v2017.3010) Detection: RDN/Generic.com Emsisoft (2018.4.0.1029) Detection: Trojan.Generic.21818445 (B) SentinelOne (1.0.17.227) Detection: No detection Cyren (6.0.0.4) Detection: W32/Trojan.XKJO-4284 Jiangmin (16.0.100) Detection: No detection Webroot (1.0.0.403) Detection: No detection Avira (8.3.3.6) Detection: TR/AD.Turla.ckypp Antiy-AVL (3.0.0.1) Detection: No detection Kingsoft (2013.8.14.323) Detection: No detection Microsoft (1.1.15200.1) Detection: Trojan:Win32/Occamy.C Endgame (3.0.1) Detection: No detection Arcabit (1.0.0.833) Detection: Trojan.Generic.D14CEC4D AegisLab (4.2) Detection: Trojan.Win32.Turla.4!c ZoneAlarm (1.0) Detection: Trojan.Win32.Turla.ak Avast-Mobile (180828-12) Detection: No detection GData (A:25.18288B:25.13086) Detection: Trojan.Generic.21818445 TACHYON (2018-08-29.02) Detection: Trojan/W32.Turla.388096 AhnLab-V3 (3.13.1.21616) Detection: Trojan/Win32.Occamy.C2678124 ALYac (1.1.1.5) Detection: Trojan.Turla.Gen AVware (1.6.0.52) Detection: No detection MAX (2017.11.15.1) Detection: malware (ai score=100) VBA32 (3.33.0) Detection: BScope.Trojan.Bitrep Malwarebytes (2.1.1.1115) Detection: No detection Zoner (1.0) Detection: No detection Rising (25.0.0.24) Detection: Trojan.Turla!8.1C8 (CLOUD) Yandex (5.5.1.3) Detection: Trojan.Turla!WCZg2q7ERNg Ikarus (0.1.5.2) Detection: Trojan.Win32.Turla eGambit (None) Detection: No detection Fortinet (5.4.247.0) Detection: W32/Turla.AK!tr AVG (18.4.3895.0) Detection: Win32:Malware-gen Panda (4.6.4.2) Detection: Trj/GdSda.A CrowdStrike (1.0) Detection: No detection Qihoo-360 (1.0.0.1120) Detection: Win32/Trojan.URL.de0	—
text48/67	—
textBkav (1.3.0.8876) Detection: W32.eHeur.Malware10 MicroWorld-eScan (14.0.297.0) Detection: Gen:Variant.Zusy.258575 CMC (1.1.0.977) Detection: No detection CAT-QuickHeal (14.00) Detection: TrojanSpy.Agent McAfee (6.0.6.653) Detection: GenericRXCJ-OD!FF8C3F362D7C Cylance (2.3.1.101) Detection: Unsafe Zillya (2.0.0.3626) Detection: No detection TheHacker (6.8.0.5.3634) Detection: No detection K7GW (10.61.28216) Detection: Trojan ( 005097051 ) K7AntiVirus (10.61.28217) Detection: Trojan ( 005097051 ) Arcabit (1.0.0.833) Detection: Trojan.Zusy.D3F20F TrendMicro (10.0.0.1040) Detection: TROJ_GEN.R002C0OGP18 Baidu (1.0.0.2) Detection: No detection Babable (9107201) Detection: No detection Cyren (6.0.0.4) Detection: W32/Trojan.AMKO-3554 Symantec (1.7.0.0) Detection: Trojan.Turla ESET-NOD32 (17962) Detection: Win32/Turla.AW TrendMicro-HouseCall (9.950.0.1006) Detection: TROJ_GEN.R002C0OGP18 Avast (18.4.3895.0) Detection: Win32:Malware-gen ClamAV (0.100.1.0) Detection: Win.Trojan.Turla-6657713-1 Kaspersky (15.0.1.13) Detection: Trojan-Spy.Win32.Agent.dewe BitDefender (7.2) Detection: Gen:Variant.Zusy.258575 NANO-Antivirus (1.0.116.23366) Detection: Trojan.Win32.Agent.enbjod ViRobot (2014.3.20.0) Detection: No detection AegisLab (4.2) Detection: Troj.W32.Gen.lJ0K Rising (25.0.0.24) Detection: Spyware.Agent!8.C6 (CLOUD) Ad-Aware (3.0.5.370) Detection: Gen:Variant.Zusy.258575 Emsisoft (2018.4.0.1029) Detection: Gen:Variant.Zusy.258575 (B) Comodo (None) Detection: No detection F-Secure (11.0.19100.45) Detection: Gen:Variant.Zusy.258575 DrWeb (7.0.33.6080) Detection: Trojan.MulDrop7.22438 VIPRE (69176) Detection: Trojan.Win32.Generic!BT Invincea (6.3.5.26121) Detection: heuristic McAfee-GW-Edition (v2017.3010) Detection: BehavesLike.Win32.Generic.hc Sophos (4.98.0) Detection: Mal/Generic-S SentinelOne (1.0.17.227) Detection: No detection F-Prot (4.7.1.166) Detection: W32/Turla.G Jiangmin (16.0.100) Detection: No detection Webroot (1.0.0.403) Detection: No detection Avira (8.3.3.6) Detection: TR/Crypt.ZPACK.gpbbw Antiy-AVL (3.0.0.1) Detection: No detection Kingsoft (2013.8.14.323) Detection: No detection Endgame (3.0.1) Detection: malicious (high confidence) Microsoft (1.1.15200.1) Detection: TrojanSpy:Win32/Skeeyah.A!rfn SUPERAntiSpyware (5.6.0.1032) Detection: No detection ZoneAlarm (1.0) Detection: Trojan-Spy.Win32.Agent.dewe Avast-Mobile (180828-12) Detection: No detection GData (A:25.18285B:25.13082) Detection: Gen:Variant.Zusy.258575 TACHYON (2018-08-29.02) Detection: No detection AhnLab-V3 (3.13.1.21616) Detection: No detection ALYac (1.1.1.5) Detection: Trojan.Turla.Gen AVware (1.6.0.52) Detection: Trojan.Win32.Generic!BT MAX (2017.11.15.1) Detection: malware (ai score=100) VBA32 (3.33.0) Detection: TrojanSpy.Agent Malwarebytes (2.1.1.1115) Detection: No detection Panda (4.6.4.2) Detection: Trj/GdSda.A Zoner (1.0) Detection: No detection Tencent (1.0.0.1) Detection: Win32.Trojan-spy.Agent.Egye Yandex (5.5.1.3) Detection: TrojanSpy.Agent!7mlehJopBxA Ikarus (0.1.5.2) Detection: Trojan.Win32.Turla eGambit (None) Detection: No detection Fortinet (5.4.247.0) Detection: Generik.KSPWBSP!tr AVG (18.4.3895.0) Detection: Win32:Malware-gen Cybereason (1.2.27) Detection: malicious.62d7c9 Paloalto (1.0) Detection: generic.ml CrowdStrike (1.0) Detection: malicious_confidence_70% (D) Qihoo-360 (1.0.0.1120) Detection: Win32/Trojan.d45	—

Comment

Value	Description	Copy
commentSnake	Cert-IST Attack Alias
commentUroburos	Cert-IST Attack Alias
commentVenomous Bear	Cert-IST Attack Alias
commentKRYPTON	Cert-IST Attack Alias
commentWaterbug	Cert-IST Attack Alias
commentWhiteBear	Cert-IST Attack Alias
commentthese IOCs originate in a report by ESET regarding the OUtlook backdoor used in an attack against European government institutions in 2016 and 2017. The extremely stealthy Outlook backdoor receives commands by e-mail, and also exfiltrates data by e-mail via PDF attachments. To do this, it uses the legitimate Microsoft Outlook application installed on the infected computer.	Cert-IST Description
commentOutlook	Cert-IST Malware Name

Target location

Value	Description	Copy
target-locationGermany	Cert-IST Targeted Country
target-locationFrance	Cert-IST Targeted Country

Datetime

Value	Description	Copy
datetime2015-12-31T23:00:00+00:00	Cert-IST First Seen Date
datetime2018-08-21T22:00:00+00:00	Cert-IST First Disclosed Date
datetime2018-08-29T14:17:42	—
datetime2018-08-30T05:52:57	—
datetime2018-08-29T09:57:38	—

Hash

Value	Description	Copy
hash7009af646c6c3e6abc0af744152ca968	—
hash8a7e2399a61ec025c15d06ecdd9b7b37d6245ec2	—
hashe869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b	—
hashaf8889f4705145d4390ee8d581f45436	—
hashcf943895684c6ff8d1e922a76b71a188cfb371d7	—
hash6a9bc3a1eb4f814af952f27066b70136b9cd7ad980f705dad5bc91b697888b5f	—
hash851dffa6cd611dc70c9a0d5b487ff00bc3853f30	—
hashff8c3f362d7c9b9a19cfa09b4b3cfc75	—
hashf992abe8a67120667a01b88cd5bf11ca39d491a0	—
hash881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867	—

Threat ID: 6854183733c7acc0460a88ba

Added to database: 6/19/2025, 2:01:27 PM

Last enriched: 1/17/2026, 8:02:20 AM

Last updated: 2/4/2026, 5:48:16 PM

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by

Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Related Threats

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Search on Google

Need more coverage?

Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Turla Outlook White Paper

AI Analysis

Technical Summary

Potential Impact

Mitigation Recommendations

Affected Countries

Indicators of Compromise

Turla Outlook White Paper

Description

AI-Powered Analysis

Technical Analysis

Potential Impact

Mitigation Recommendations

Affected Countries

Technical Details

Indicators of Compromise

File

Regkey

Url

Link

Yara

Text

Comment

Target location

Datetime

Hash

Community Reviews

Related Threats

KRVTZ-NET IDS alerts for 2026-02-04

ThreatFox IOCs for 2026-02-03

KRVTZ-NET IDS alerts for 2026-02-03

ThreatFox IOCs for 2026-02-02

KRVTZ-NET IDS alerts for 2026-02-02

Actions

External Links

Need more coverage?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility