The Turla Trojan attacks are currently infecting users worldwide in an offensive campaign. The captured samples showcase that the threat can cause widespread damage on the compromised hosts. Our article provides an overview of the virus operations and it also may be helpful in attempting to remove the virus.
Threat Summary
| Name | Turla Trojan |
| Type | Trojan |
| Short Description | The Turla Trojan is a utility malware that is designed to silently infiltrate computer systems, active infections will spy on the victim users. |
| Symptoms | The victims may not experience any apparent symptoms of infection. |
| Distribution Method | Freeware Installations, Bundled Packages, Scripts and others. |
| Detection Tool |
See If Your System Has Been Affected by malware
Download
Malware Removal Tool
|
| User Experience | Join Our Forum to Discuss Turla Trojan. |
Turla Trojan – Distribution Methods
The Turla Trojan is the collective name of which a group of backdoors and malware led by the hacking group bearing the same name is known. Over the years several active campaigns bearing modified versions of it.
The recent attacks carrying the threat use a classic infiltration technique which depends on the interaction with a Adobe Flash installer. This means that the hackers can leverage several different distribution techniques:
- Fake Download Sites — The hackers can construct fake copies of legitimate vendor sites and download portals. They might use stolen web design elements and layout, as well as domain names. This can fool a large part of ordinary web users that can get redirected via search engine results or scripts such as pop-ups, banners, ads and in-line links.
- Scam Email Messages — Another popular technique is the coordination of mass email SPAM messages. They are created using graphics and text taken from well known sites or Internet services. This can confuse the users into thinking that they have received a software update message from Adobe for instance. The dangerous file can be directly attached or linked in the body contents.
- Installer Bundles — In some specific cases the virus can be made part of the legitimate Adobe Flash player installer.
- Document Scripts — The hackers behind the Turla Trojan can embed the installation code into macros. This means that infections can happen through interaction with all kinds of files: rich text documents, spreadsheets, presentations and databases. Once they are opened a notification prompt will pop-up asking the users to enable the built-in content. If this is done the infection will follow.
In certain cases the hackers can also deliver the threats via browser hijackers — malicious web browser extensions. They are usually spread on the relevant repositories using an elaborate description promising new feature enhancements. The use of fake developer credentials and use reviews can further coerce the victims into installing it. If this is done then their browser settings will be changed to redirect to a certain hacker-controlled page. The next actions will be to install the relevant Trojan code.
Some of the infections have been caused via vulnerability testing. The hackers use popular security audit tools to find weaknesses in computer hosts and networks. If an unpatched service software is found and they have the right exploit code the Turla Trojan code can be automatically deployed.
Turla Trojan – Detailed Description
Once the Turla Trojan has penetrated the computer’s security it will automatically launch a series of built-in commands. This Trojan uses a different approach in comparison to other threats. Instead of a traditional secure connection to a hacker-controlled server it depends on the delivery of files and email correspondence to automate the infection reports.
This means that the main malware engine can connect to an email inbox hat has been specially created for this purpose. Network administrators will not be able to trace down this specific stream as it appears just like any normal user behavior. The engine will report the data in a file, usually in the form of a PDF file, which is sent as an attachment and sent to the hacker operators. Upon receiving the message the remote administration client will read the data and then send specific instructions using the same mechanism back to the infected hosts.
The security analysis shows that the Turla Trojan have the ability to interact with email clients (Outlook and The Bat!). The malicious engine sets itself as a persistent dependency which allows it to start every time the applications are accessed.
The full analysis has revealed the commands that can be launched by the hackers. The full list of actions includes the following:
- Display a MessageBox — Allows the hackers to display a notification box on the victim’s desktop. This is widely used when orchestrating social engineering attacks.
- Sleep — Triggers a “sleep” power event.
- Delete File — Allows the hackers to choose a file on the users computer that will be deleted.
- Get File — Retrieves a chosen file from the infected machine.
- Set operator email address A(overriding the initial one hardcoded in the DLL) — Changes the controlling email address to another one.
- Put File — Deploys a hacker-specified file to the machines.
- Run Shell Command — Allows the hackers to execute commands of their choice — either in PowerShell or the command prompt.
- Create Process — The malicius engine will create a second process in a separate thread.
- Delete Directory — Deletes a chosen directory.
- Create Directory — Creates a directory under a provided name in a specified directory.
- Change timeout — Modifies the interval between the email correspondence monitoring.
- Run Powershell Command — Enables the hackers to execute PowerShell commands and scripts.
- Set Answer Mode — Modifies the return instructions mode.
Most of the Turla Trojan attacks can be configured using either built-in scripts or programmed by the hackers to carry out complex infiltrations. This includes a persistent installation. This means that it can modify the boot options and automatically start once the computer is booted up. This procedure can also disable access to the recovery menu which will render most manual recovery instructions worthless.
Use of the Turla Trojan can lead to sensitive information harvesting. This means that it can retrieve strings that can expose the victim’s identity — their name, address, phone number, interests, location and any stored account credentials. The other type of information that can be hijacked is metrics about the operating system and the installed hardware components that can be used to optimize the upcoming attacks.
The malicious algorithm can also be configured to delete any System recovery information such as backups and Shadow Volume Copies. This means that effective restore of the infected computers is only possible with a professional-grade recovery software, refer to our instructions for more information on the matter.
It is possible that the Turla Trojan can be modified to execute banking Trojan like behavior. Thanks to the remote control and spying capabilities the hackers can monitor when the victim users enter into certain services like email inboxes and online banks. When they access the relevant login pages the criminals can directly extract the mouse movement and keystrokes. The credentials will be automatically transferred to the hackers.
Remove Turla Trojan
If your computer system got infected with the Turla Trojan, you should have a bit of experience in removing malware. You should get rid of this Trojan as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the Trojan and follow the step-by-step instructions guide provided below.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me:
- Guide 1: How to Remove Turla Trojan from Windows.
- Guide 2: Get rid of Turla Trojan on Mac OS X.
- Guide 3: Remove Turla Trojan in Google Chrome.
- Guide 4: Erase Turla Trojan from Mozilla Firefox.
- Guide 5: Uninstall Turla Trojan from Microsoft Edge.
- Guide 6: Remove Turla Trojan from Safari.
- Guide 7: Eliminate Turla Trojan from Internet Explorer.
- Guide 8: Disable Turla Trojan Push Notifications in Your Browsers.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer Stop Push Pop-ups
How to Remove Turla Trojan from Windows.
Step 1: Boot Your PC In Safe Mode to isolate and remove Turla Trojan
Step 2: Uninstall Turla Trojan and related software from Windows
Here is a method in few easy steps that should be able to uninstall most programs. No matter if you are using Windows 10, 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program are left behind, and that can lead to unstable work of your PC, errors with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it. To do that:
Follow the instructions above and you will successfully uninstall most programs.
Step 3: Clean any registries, created by Turla Trojan on your computer.
The usually targeted registries of Windows machines are the following:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
You can access them by opening the Windows registry editor and deleting any values, created by Turla Trojan there. This can happen by following the steps underneath:
Tip: To find a virus-created value, you can right-click on it and click "Modify" to see which file it is set to run. If this is the virus file location, remove the value.
Before starting "Step 4", please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer Stop Push Pop-ups
Get rid of Turla Trojan from Mac OS X.
Step 1: Uninstall Turla Trojan and remove related files and objects
1. Hit the ⇧+⌘+U keys to open Utilities. Another way is to click on “Go” and then click “Utilities”, like the image below shows:
- Go to Finder.
- In the search bar type the name of the app that you want to remove.
- Above the search bar change the two drop down menus to “System Files” and “Are Included” so that you can see all of the files associated with the application you want to remove. Bear in mind that some of the files may not be related to the app so be very careful which files you delete.
- If all of the files are related, hold the ⌘+A buttons to select them and then drive them to “Trash”.
In case you cannot remove Turla Trojan via Step 1 above:
In case you cannot find the virus files and objects in your Applications or other places we have shown above, you can manually look for them in the Libraries of your Mac. But before doing this, please read the disclaimer below:
You can repeat the same procedure with the following other Library directories:
→ ~/Library/LaunchAgents
/Library/LaunchDaemons
Tip: ~ is there on purpose, because it leads to more LaunchAgents.
Step 2: Scan for and remove Turla Trojan files from your Mac
When you are facing problems on your Mac as a result of unwanted scripts and programs such as Turla Trojan, the recommended way of eliminating the threat is by using an anti-malware program. SpyHunter for Mac offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer Stop Push Pop-ups
Remove Turla Trojan from Google Chrome.
Step 1: Start Google Chrome and open the drop menu
Step 2: Move the cursor over "Tools" and then from the extended menu choose "Extensions"
Step 3: From the opened "Extensions" menu locate the unwanted extension and click on its "Remove" button.
Step 4: After the extension is removed, restart Google Chrome by closing it from the red "X" button at the top right corner and start it again.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer Stop Push Pop-ups
Erase Turla Trojan from Mozilla Firefox.
Step 1: Start Mozilla Firefox. Open the menu window
Step 2: Select the "Add-ons" icon from the menu.
Step 3: Select the unwanted extension and click "Remove"
Step 4: After the extension is removed, restart Mozilla Firefox by closing it from the red "X" button at the top right corner and start it again.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer Stop Push Pop-ups
Uninstall Turla Trojan from Microsoft Edge.
Step 1: Start Edge browser.
Step 2: Open the drop menu by clicking on the icon at the top right corner.
Step 3: From the drop menu select "Extensions".
Step 4: Choose the suspected malicious extension you want to remove and then click on the gear icon.
Step 5: Remove the malicious extension by scrolling down and then clicking on Uninstall.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer Stop Push Pop-ups
Remove Turla Trojan from Safari.
Step 1: Start the Safari app.
Step 2: After hovering your mouse cursor to the top of the screen, click on the Safari text to open its drop down menu.
Step 3: From the menu, click on "Preferences".
Step 4: After that, select the 'Extensions' Tab.
Step 5: Click once on the extension you want to remove.
Step 6: Click 'Uninstall'.
A pop-up window will appear asking for confirmation to uninstall the extension. Select 'Uninstall' again, and the Turla Trojan will be removed.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer Stop Push Pop-ups
Eliminate Turla Trojan from Internet Explorer.
Step 1: Start Internet Explorer.
Step 2: Click on the gear icon labeled 'Tools' to open the drop menu and select 'Manage Add-ons'
Step 3: In the 'Manage Add-ons' window.
Step 4: Select the extension you want to remove and then click 'Disable'. A pop-up window will appear to inform you that you are about to disable the selected extension, and some more add-ons might be disabled as well. Leave all the boxes checked, and click 'Disable'.
Step 5: After the unwanted extension has been removed, restart Internet Explorer by closing it from the red 'X' button located at the top right corner and start it again.
Remove Push Notifications caused by Turla Trojan from Your Browsers.
Turn Off Push Notifications from Google Chrome
To disable any Push Notices from Google Chrome browser, please follow the steps below:
Step 1: Go to Settings in Chrome.
Step 2: In Settings, select “Advanced Settings”:
Step 3: Click “Content Settings”:
Step 4: Open “Notifications”:
Step 5: Click the three dots and choose Block, Edit or Remove options:
Remove Push Notifications on Firefox
Step 1: Go to Firefox Options.
Step 2: Go to “Settings”, type “notifications” in the search bar and click "Settings":
Step 3: Click “Remove” on any site you wish notifications gone and click “Save Changes”
Stop Push Notifications on Opera
Step 1: In Opera, press ALT+P to go to Settings
Step 2: In Setting search, type “Content” to go to Content Settings.
Step 3: Open Notifications:
Step 4: Do the same as you did with Google Chrome (explained below):
Eliminate Push Notifications on Safari
Step 1: Open Safari Preferences.
Step 2: Choose the domain from where you like push pop-ups gone and change to "Deny" from "Allow".
