The Turla Group developed and used the PNG Dropper malware. It was first discovered back in August 2017 by Carbon Black researchers.
Back in 2017 it was being used to distribute Snake, but recently NCC Group researchers have uncovered samples with a new payload that they have internally named RegRunnerSvc.
This method detects malicious services mentioned in the Turla PNG dropper report by NCC Group in November 2018.
title: Turla Droper Detection.
description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018.The dropper family, referred to internally as PNG_dropper, was observed being used as a second stage tool in different targeted attacks. One of final payloads that is created by this dropper is an Uroburos variant used by the Turla group, which traditionally operates out of Russia. This technique is being used to allow the attackers to conceal their secondary payloads, bypassing different AV products. Attackers, regardless of their skills and motives, often attempt to wrap malicious code in a way that will seem innocuous to practitioners and security products.
author: AmirAli Amiri
| EventID: 1
condition: selection1 or selection2