Turla APT group adds Topinambour Trojan to its arsenal

Kaspersky researchers revealed that since earlier this year, Russia-linked APT group Turla used new variants of the KopiLuwak Trojan in targeted attacks.

Security experts at Kaspersky revealed that the Russia-linked APT group Turla used new variants of the KopiLuwak Trojan in targeted attacks since early 2019.

The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

In the past months, security experts reported the APT group has been updating its arsenal. In May, ESET experts revealed that Turla has been using a sophisticated backdoor, dubbed LightNeuron, to hijack Microsoft Exchange mail servers.

Now Kaspersky published a detailed analysis of a new modular tool dubbed Topinambour (aka Sunchoke – the Jerusalem artichoke). Kaspersky researchers also found .NET and PowerShell versions of the KopiLuwak Trojan that was involved in targeted attacks since the beginning of this year. 

Topinambour is spread via tainted legitimate software installers, the dropper includes a tiny .NET shell that is used to deliver commands to the target machine and deliver other modules via SMB.

“Using this and SMB shares on rented virtual private servers (VPS), the campaign operators spread the next-stage modules using just “net use” and “copy” Windows shell commands. It’s hard to believe, but SMB still works through public networks.” reads the analysis published by Kaspersky.

“These campaign-related VPSs are located in South Africa. Interestingly, their external IP addresses start with “197.168”. Possibly these first two bytes are there to mimic LAN addresses that start with “192.168”“

The dropper sample analyzed by the experts is able to deliver the payload to a specific location, gain persistence for the malicious code with a scheduled task that starts every 30 minutes, and drop the original application the dropper tries to mimic. 

The tiny .NET shell dropped on the target system connects the C2 server and fetches the KopiLuwak dropper, that gains persistence and drops a JavaScript file that leads to the final stage Trojan.

Recent operations also involved another .NET Trojan along with the KopiLuwak JavaScript, it was called RocketMan and supports commands to download/upload a file, and to halt the Trojan activity. 

Hackers also used a PowerShell Trojan tracked as MiamiBeach, it differs from the RocketMan Trojan due to its ability to take a screenshot.

“The reason behind the development of KopiLuwak’s PowerShell and .NET analogues may be simply to minimize detection of the well-known, publicly discussed JavaScript versions.” concludes Kaspersky.

“Using the Windows system registry to store encrypted data that is later used by the malware also seems to be aimed at minimizing detection and reducing the digital footprint on any victim’s computer, where only a tiny starter would be left,”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Turla APT, Topinambour)

[adrotate banner=”5″]

[adrotate banner=”13″]