You must Register or Sign in to your Cyware account to perform this action
×Once you are logged in, you will be able to:
Customize your feeds by selecting categories you like
Comment on or Like an article
Receive the latest security stories, trends, and insights in your inbox
Build your profile and login across multiple devices
Bookmark a story and read it later
- Home
- Hacker News
- Malware and Vulnerabilities
- New malware called ‘Topinambour’ deployed by Turla APT group

New malware called ‘Topinambour’ deployed by Turla APT group
New malware called ‘Topinambour’ deployed by Turla APT group- July 16, 2019
- |
- Malware and Vulnerabilities
/https://cystory-images.s3.amazonaws.com/shutterstock_262763009.jpg)
- The malware is distributed through installers of legitimate software such as Softether VPN, psiphon3, or Microsoft Office ‘activators’.
- It consists of modules written in JavaScript, .NET and PowerShell. These modules are used interchangeably to develop different versions of the malware.
Turla APT, also known as, Waterbug, Venomous Bear and by many other names, was found using a new dropper in a recent campaign this year. The discovery was made by security researchers from Kaspersky.
Dubbed as ‘Topinambour’, the malware is reported to upload and execute malicious files on compromised machines, along with fingerprinting them. Topinambour has modules written in JavaScript, .NET, and PowerShell. Researchers believe that the modules are used interchangeably to create different versions of the malware, in case one version is detected in a victim’s machine.
The big picture
- In a detailed post, Kaspersky describes the new tools used by Turla APT in a recent campaign in 2019. This mainly includes using the new Topinambour and related modules.
- The campaign is reported to have targeted against governments, just like observed in previous campaigns.
- To spread Topinambour, the APT group used installers of legitimate software such as Softether VPN, psiphon3, or Microsoft Office ‘activators’.
- The malware contains a tiny .NET shell meant for executing Windows shell commands by the actors on infected machines. In addition, they leveraged the SMB protocol on virtual private servers in order to spread other modules.
- The .NET module in the malware is used to deliver another well-known JavaScript Trojan called KopiLuwak.
- The actors relied on compromised WordPress sites to spread Topinambour.
Odd strings and KopiLuwak usage
Kaspersky researchers indicate that the new malware contained some references in Topinambour .NET modules. “It’s a bit surprising, amusing and not entirely clear why the developers have used some seemingly US-related strings such as “RocketMan!”, “TrumpTower” or “make_some_noise”. They are hardly likely to serve as false flags,” the researchers said.
“The usage of KopiLuwak, a well-known and exclusive artefact previously used by the Turla group, makes us attribute this campaign to this actor with high confidence,” the researchers concluded.
- + Aware
Get such articles in your inbox
News
-
Previous News Bulgaria’s National Revenue Agency hacked to steal over five million people's data
- July 16, 2019
- |
- Breaches and Incidents
Popular News
Related News
Categories
Get such articles in your inbox
News
-
Previous News Bulgaria’s National Revenue Agency hacked to steal over five million people's data
- July 16, 2019
- |
- Breaches and Incidents
Popular News
Related News
Categories
