Symantec Waterbug Attack - Trojan Turla DLL

Hunt Hypothesis

The hypothesis is that the detection identifies potential Turla Trojan DLL activity associated with the Symantec Waterbug attack, which may indicate adversary persistence or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise from advanced persistent threats.

YARA Rule

rule WaterBug_turla_dll 
{
  
    meta:
        description = "Symantec Waterbug Attack - Trojan Turla DLL"
        author = "Symantec Security Response"
        date = "22.01.2015"
        reference = "http://www.symantec.com/connect/blogs/turla-spying-tool-targets-governments-and-diplomats"   

    strings:
        $a = /([A-Za-z0-9]{2,10}_){,2}Win32\.dll\x00/
   
    condition:
        pe.exports("ee") and $a
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• http://www.symantec.com/connect/blogs/turla-spying-tool-targets-governments-and-diplomats
• Source Rule

False Positive Guidance

• Scenario: Legitimate Scheduled Job Execution
  Description: A scheduled job using schtasks.exe runs a legitimate DLL (e.g., svchost.exe) as part of system maintenance.
  Filter/Exclusion: Exclude processes where the parent process is schtasks.exe and the command line includes valid job names or paths known to be part of enterprise maintenance routines.

• Scenario: Microsoft System File Checker (SFC) Scan
  Description: The sfc.exe tool is executing a system file check and loading DLLs from the system directory, which may be flagged due to similar behavior to the Turla DLL.
  Filter/Exclusion: Exclude processes where the executable is sfc.exe and the command line includes /scannow or /verifyonly.

• Scenario: Microsoft Update or Patch Installation
  Description: A Windows Update or patch installation process (e.g., wuauclt.exe) loads DLLs from the system directory, which may trigger the rule due to similar execution patterns.
  Filter/Exclusion: Exclude processes where the executable is wuauclt.exe or setup.exe and the command line indicates an update or installation task.

• Scenario: Admin Task Using PowerShell to Load DLLs
  Description: An administrator uses PowerShell (powershell.exe) to load a legitimate DLL (e.g., for scripting or automation) that matches the Turla DLL signature.
  Filter/Exclusion: Exclude processes where the parent process is cmd.exe or powershell.exe and the script or command is known to be part of authorized administrative tasks.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A legitimate antivirus tool (e.g., Symantec Endpoint Protection) performs a scan and loads DLLs from its own directory, which may be mis