Turla Tróia Instruções da remoção - restaurar o computador de infecções

Turla Tróia Instruções da remoção - restaurar o computador de infecções

Os ataques Turla de Tróia estão actualmente a infectar usuários em todo o mundo em uma campanha ofensiva. As amostras capturadas mostrar que a ameaça pode causar danos generalizados sobre os hosts comprometidos. Nosso artigo fornece uma visão geral das operações de vírus e também pode ser útil na tentativa de remover o vírus.

Resumo ameaça

NomeA torre de Tróia
Pequena descriçãoThe Turla Trojan is a utility malware that is designed to silently infiltrate computer systems, infecções ativas vai espionar os usuários vítima.
Os sintomasAs vítimas podem não sentir quaisquer sintomas aparentes de infecção.
distribuição MétodoInstalações freeware, pacotes integrados, Scripts e outros.
Ferramenta de detecção See If Your System Has Been Affected by Turla Trojan


Remoção de Malware Ferramenta

Experiência de usuárioParticipe do nosso Fórum to Discuss Turla Trojan.

Turla Trojan – Distribution Methods

The Turla Trojan is the collective name of which a group of backdoors and malware led by the hacking group bearing the same name is known. Over the years several active campaigns bearing modified versions of it.

The recent attacks carrying the threat use a classic infiltration technique which depends on the interaction with a Adobe Flash installer. This means that the hackers can leverage several different distribution techniques:

  • Falsificados Sites Descarregar — The hackers can construct fake copies of legitimate vendor sites and download portals. They might use stolen web design elements and layout, as well as domain names. This can fool a large part of ordinary web users that can get redirected via search engine results or scripts such as pop-ups, banners, ads and in-line links.
  • Scam Email Messages — Another popular technique is the coordination of mass email SPAM messages. They are created using graphics and text taken from well known sites or Internet services. This can confuse the users into thinking that they have received a software update message from Adobe for instance. The dangerous file can be directly attached or linked in the body contents.
  • Installer Bundles — In some specific cases the virus can be made part of the legitimate Adobe Flash player installer.
  • Document Scripts — The hackers behind the Turla Trojan can embed the installation code into macros. This means that infections can happen through interaction with all kinds of files: documentos de texto rico, Planilhas, apresentações e bancos de dados. Once they are opened a notification prompt will pop-up asking the users to enable the built-in content. Se isso for feito a infecção vai seguir.

In certain cases the hackers can also deliver the threats via seqüestradores de navegador — malicious web browser extensions. They are usually spread on the relevant repositories using an elaborate description promising new feature enhancements. The use of fake developer credentials and use reviews can further coerce the victims into installing it. If this is done then their browser settings will be changed to redirect to a certain hacker-controlled page. The next actions will be to install the relevant Trojan code.

Some of the infections have been caused via vulnerability testing. The hackers use popular security audit tools to find weaknesses in computer hosts and networks. If an unpatched service software is found and they have the right exploit code the Turla Trojan code can be automatically deployed.

Turla Trojan – Detailed Description

Once the Turla Trojan has penetrated the computer’s security it will automatically launch a series of built-in commands. This Trojan uses a different approach in comparison to other threats. Instead of a traditional secure connection to a hacker-controlled server it depends on the delivery of files and email correspondence to automate the infection reports.

This means that the main malware engine can connect to an email inbox hat has been specially created for this purpose. Network administrators will not be able to trace down this specific stream as it appears just like any normal user behavior. The engine will report the data in a file, usually in the form of a PDF file, which is sent as an attachment and sent to the hacker operators. Upon receiving the message the remote administration client will read the data and then send specific instructions using the same mechanism back to the infected hosts.

The security analysis shows that the Turla Trojan have the ability to interact with email clients (Outlook and The Bat!). The malicious engine sets itself as a persistent dependency which allows it to start every time the applications are accessed.

Story relacionado: Turla Hackers Employ Mosquite Backdoor Against Diplomats

The full analysis has revealed the commands that can be launched by the hackers. The full list of actions includes the following:

  • Display a MessageBox — Allows the hackers to display a notification box on the victim’s desktop. This is widely used when orchestrating social engineering attacks.
  • Dormir — Triggers a “dormir” power event.
  • Delete File — Allows the hackers to choose a file on the users computer that will be deleted.
  • Get File — Retrieves a chosen file from the infected machine.
  • Set operator email address A(overriding the initial one hardcoded in the DLL) — Changes the controlling email address to another one.
  • Put File — Deploys a hacker-specified file to the machines.
  • Run Shell Command — Allows the hackers to execute commands of their choice — either in PowerShell or the command prompt.
  • Create Process — The malicius engine will create a second process in a separate thread.
  • Delete Directory — Deletes a chosen directory.
  • Create Directory — Creates a directory under a provided name in a specified directory.
  • Change timeout — Modifies the interval between the email correspondence monitoring.
  • Run Powershell Command — Enables the hackers to execute PowerShell commands and scripts.
  • Set Answer Mode — Modifies the return instructions mode.

Most of the Turla Trojan attacks can be configured using either built-in scripts or programmed by the hackers to carry out complex infiltrations. This includes a instalação persistente. This means that it can modify the boot options and automatically start once the computer is booted up. This procedure can also disable access to the recovery menu which will render most manual recovery instructions worthless.

Use of the Turla Trojan can lead to sensitive information harvesting. This means that it can retrieve strings that can expose the victim’s identity — their name, endereço, número de telefone, interesses, localização e quaisquer credenciais da conta armazenados. The other type of information that can be hijacked is metrics about the operating system and the installed hardware components that can be used to optimize the upcoming attacks.

The malicious algorithm can also be configured to delete any System recovery information such as backups and Shadow Volume Copies. This means that effective restore of the infected computers is only possible with a professional-grade recovery software, refer to our instructions for more information on the matter.

It is possible that the Turla Trojan can be modified to execute banking Trojan like behavior. Thanks to the remote control and spying capabilities the hackers can monitor when the victim users enter into certain services like email inboxes and online banks. When they access the relevant login pages the criminals can directly extract the mouse movement and keystrokes. The credentials will be automatically transferred to the hackers.

Remove Turla Trojan

Se o seu sistema de computador foi infectado com o Turla troiano, você deve ter um pouco de experiência na remoção de malware. Você deve se livrar deste Trojan o mais rápido possível antes que ele possa ter a chance de se espalhar ainda mais e infectar outros computadores. Você deve remover o Trojan e siga o passo-a-passo guia de instruções fornecido abaixo.


Martin Beltov

Martin formou-se na publicação da Universidade de Sofia. Como a segurança cibernética entusiasta ele gosta de escrever sobre as ameaças mais recentes e mecanismos de invasão.

mais Posts - Local na rede Internet

Me siga:
TwitterGoogle Plus

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Compartilhar no Twitter chilrear
Compartilhar no Google Plus Compartilhar
Partilhar no Linkedin Compartilhar
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Partilhar no StumbleUpon Compartilhar