Turla APT, also known as, Waterbug, Venomous Bear and by many other names, was found using a new dropper in a recent campaign this year. The discovery was made by security researchers from Kaspersky.
Dubbed as ‘Topinambour’, the malware is reported to upload and execute malicious files on compromised machines, along with fingerprinting them. Topinambour has modules written in JavaScript, .NET, and PowerShell. Researchers believe that the modules are used interchangeably to create different versions of the malware, in case one version is detected in a victim’s machine.
The big picture
Odd strings and KopiLuwak usage
Kaspersky researchers indicate that the new malware contained some references in Topinambour .NET modules. “It’s a bit surprising, amusing and not entirely clear why the developers have used some seemingly US-related strings such as “RocketMan!”, “TrumpTower” or “make_some_noise”. They are hardly likely to serve as false flags,” the researchers said.
“The usage of KopiLuwak, a well-known and exclusive artefact previously used by the Turla group, makes us attribute this campaign to this actor with high confidence,” the researchers concluded.
Publisher