Home / / Hacking group hides malware in anti-internet censorship software

Hacking group hides malware in anti-internet censorship software

Kaspersky researchers have discovered that the Russian-speaking threat actor Turla has revamped its toolset

Hacking group hides malware in anti-internet censorship software

Turla wraps its famous JavaScript KopiLuwak malware in a new dropper called Topinambour, creating two similar versions in other languages, and distributing its malware through infected installation packs for software.

Researchers believe these measures are designed to minimize detection and precision target victims. Topinambour was spotted in an operation against government entities at the start of 2019.

Turla is a high profile Russian-speaking threat actor with a known interest in cyberespionage against government and diplomatic related targets. It has a reputation for being innovative and for its signature KopiLuwak malware, first observed in late 2016. In 2019, Kaspersky researchers uncovered new tools and techniques introduced by the threat actor that increase stealth and help to minimize detection.

Topinambour (named after the vegetable that is also known as a Jerusalem artichoke) is a new .NET file that is being used by Turla to distribute and drop its JavaScript KopiLuwak through infected installation packages for legitimate software programs like VPNs for circumventing internet censorship.

KopiLuwak is designed for cyberespionage and Turla's latest infection process includes techniques that help the malware to avoid detection.  For example, the command and control infrastructure has IPs that appear to mimic ordinary LAN addresses. Further, the malware is almost completely ‘fileless' - the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer's registry for the malware to access when ready.

The two KopiLuwak analogues: the .NET RocketMan Trojan and the PowerShell MiamiBeach Trojan are also designed for cyberespionage.  Researchers believe that these versions are deployed against targets with security software installed that is able to detect KopiLuwak.

Upon successful installation, all three versions can:

Fingerprint targets, to understand what kind of computer has been infected

Gather information on system and network adapters

Steal files

Download and execute additional malware

MiamiBeach is also able to take screenshots

"In 2019, Turla emerged with a revamped toolset, introducing a number of new features possibly to minimize detection by security solutions and researchers. These include reducing the malware's digital footprint, and the creation of two different but similar versions of the well-known KopiLuwak malware. The abuse of installation packs for VPN software that can circumvent internet censorship suggests the attackers have clearly defined cyberespionage targets for these tools.

The continued evolution of Turla's arsenal is a good reminder of the need for threat intelligence and security software that can protect against the latest tools and techniques used by APTs.  For example, endpoint protection and checking file hashes after downloading installation software would help to protect against threats like Topinambour," - said Kurt Baumgartner, principal security researcher at Kaspersky.

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.