Connect with us

Hi, what are you looking for?

HEADLINES

Turla hacking group hides malware in anti-internet censorship software

Kaspersky researchers have discovered that the Russian-speaking threat actor Turla has revamped its toolset — wrapping its famous JavaScript KopiLuwak malware in a new dropper called Topinambour, creating two similar versions in other languages, and distributing its malware through infected installation packs for software that circumvents internet censorship, among others.

Kaspersky researchers have discovered that the Russian-speaking threat actor Turla has revamped its toolset — wrapping its famous JavaScript KopiLuwak malware in a new dropper called Topinambour, creating two similar versions in other languages, and distributing its malware through infected installation packs for software that circumvents internet censorship, among others. Researchers believe these measures are designed to minimize detection and precision target victims. Topinambour was spotted in an operation against government entities at the start of 2019. 

Kaspersky defines a dropper as a program that secretly installs malicious programs, built into their code, on a computer. Typically, a program dropped onto the victim’s computer is saved and launched without any notification (or a fake notification may be displayed). A dropper is used to secretly install other malware or to help known malicious programs to evade detection (not all anti-malware programs are capable of scanning all components inside a dropper).

Turla is a high profile Russian-speaking threat actor with a known interest in cyberespionage against government and diplomatic related targets. It has a reputation for being innovative and for its signature KopiLuwak malware, first observed in late 2016. In 2019, Kaspersky researchers uncovered new tools and techniques introduced by the threat actor that increase stealth and help to minimize detection.

Topinambour (named after the vegetable that is also known as a Jerusalem artichoke) is a new .NET file that is being used by Turla to distribute and drop its JavaScript KopiLuwak through infected installation packages for legitimate software programs like VPNs for circumventing internet censorship. 

KopiLuwak is designed for cyberespionage and Turla’s latest infection process includes techniques that help the malware to avoid detection.  For example, the command and control infrastructure has IPs that appear to mimic ordinary LAN addresses. Further, the malware is almost completely ‘fileless’ – the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer’s registry for the malware to access when ready. 

The two KopiLuwak analogues: the .NET RocketMan Trojan and the PowerShell MiamiBeach Trojan are also designed for cyberespionage.  Researchers believe that these versions are deployed against targets with security software installed that is able to detect KopiLuwak. Upon successful installation, all three versions can: 

Advertisement. Scroll to continue reading.
  • Fingerprint targets, to understand what kind of computer has been infected 
  • Gather information on system and network adapters
  • Steal files
  • Download and execute additional malware
  • MiamiBeach is also able to take screenshots 

“In 2019, Turla emerged with a revamped toolset, introducing a number of new features possibly to minimize detection by security solutions and researchers. These include reducing the malware’s digital footprint, and the creation of two different but similar versions of the well-known KopiLuwak malware. The abuse of installation packs for VPN software that can circumvent internet censorship suggests the attackers have clearly defined cyberespionage targets for these tools, ” said  Kurt Baumgartner, principal security researcher at Kaspersky.

“The continued evolution of Turla’s arsenal is a good reminder of the need for threat intelligence and security software that can protect against the latest tools and techniques used by APTs.  For example, endpoint protection and checking file hashes after downloading installation software would help to protect against threats like Topinambour,”  Baumgartner added.

To reduce the risk of falling victim to sophisticated cyberespionage operations, Kaspersky recommends taking the following measures:

  • Implement security awareness training for staff explaining how to recognize and avoid potentially malicious applications or files. For example, employees should not download and launch any apps or programs from untrusted or unknown sources.
  • For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
  • Provide your SOC team with access to the latest Threat Intelligence, to keep up to date with the new and emerging tools, techniques and tactics used by threat actors. 

Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

Providing a sense of security for its subscribers has pushed Converge to also provide quick access to online support while raising awareness through online...

HEADLINES

Poll shows how people are managing the pandemic as we approach the one-year anniversary of the start of large-scale quarantines that forced millions of...

HEADLINES

The Philippines slipped two notches down from its previous ranking in the latest top 10 global list of countries with the most web-borne threats...

HEADLINES

bluedog was launched two years ago to make professional cybersecurity services accessible to a wider audience – including businesses in Asia and smaller firms...

HEADLINES

The remote setup had employees bringing home their workstations, taking devices out of the protection of cybersecurity systems found inside offices and leaving them...

HEADLINES

Last spring, more than 1 billion schoolchildren around the globe were affected by school closures as countries attempted to slow rising infection rates. For...

HEADLINES

The multibillion-peso investment has enabled the two companies to block 3,020 domains that host illicit materials featuring children as mandated by the National Telecommunications...

HEADLINES

Researchers from Kaspersky spotted a significant growth of the malware used by SilentFade, the gang responsible for $4 million fraud on Facebook in 2019.

Advertisement