SIGS: ET TROJAN TinyTurlaNG Turla APT

kevross33 · February 16, 2024, 5:41pm

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET TROJAN TinyTurlaNG Turla APT Initial Client Beacon”; flow:established,to_server; content:“POST”; http_method; content:"form-data|3B|name=|22|id|22|; http_client_body; content:“form-data|3B|name=|22|result|22|”; http_client_body; distance:0; content:“Client Ready”; http_client_body; distance:0; classtype:trojan-activity; reference:url,blog.talosintelligence.com/tinyturla-next-generation/; sid:123441; rev:1;)

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET TROJAN TinyTurlaNG Turla APT GetTask Request”; flow:established,to_server; content:“POST”; http_method; content:"form-data|3B|name=|22|id|22|; http_client_body; content:“form-data|3B|name=|22|gettask|22|”; http_client_body; fast_pattern:4,20; distance:0; classtype:trojan-activity; reference:url,blog.talosintelligence.com/tinyturla-next-generation/; sid:123442; rev:1;)

Kind Regards,
Kevin Ross

ishaughnessy · February 16, 2024, 7:32pm

Hey @kevross33 - Thanks for the submission, we’ll get these in today’s release!!

ishaughnessy · February 16, 2024, 10:53pm

  2050902 - ET MALWARE TinyTurlaNG Turla APT Initial Client Beacon
  2050903 - ET MALWARE TinyTurlaNG Turla APT GetTask Request

Topic		Replies	Views
New Signatures: BunnyLoader Rule Signatures	1	161	March 18, 2024
New Sig: ET TROJAN W32/Kazuar.Backdoor Turla APT Hardcoded Cookie Rule Signatures	1	259	November 20, 2023
NEW SIG: ET TROJAN Falsefont.Backdoor APT33 Initial Handshake Rule Signatures	1	151	March 22, 2024
SIGS: Kapeka/ICYWELL Backdoor APT44/Sandworm Part 2 Rule Signatures	1	90	April 18, 2024
RedLine Stealer beacon Rule Signatures	1	307	January 6, 2023

SIGS: ET TROJAN TinyTurlaNG Turla APT

Related Topics