Woburn, MA – July 15, 2019 – Kaspersky researchers have discovered a new malware distribution technique from Russian-speaking threat actor, Turla, exposing the group for integrating their signature JavaScript KopiLuwak malware in a new dropper named Topinambour. First spotted in early 2019 in an operation against government entities, this highly specialized malware creates two similar versions in different languages to distribute the infection throughout installation packs for software that circumvents internet censorship. Researchers believe these tactics are designed to minimize detection and more precisely target victims.

Topinambour’s new .NET file distributes and drops its JavaScript KopiLuwak through infected installation packages for legitimate software programs such as VPNs in an attempt to bypass internet restrictions. KopiLuwak, which was previously designed specifically for cyberespionage, leverages Turla’s infection process to avoid detection by gaining access to command and control infrastructure IPs that appear to mimic ordinary LAN addresses. Additionally, Topinambour’s malware is almost completely ‘fileless’ making it more challenging to detect. During the final stage of infection, an encrypted Trojan for remote administration is embedded into the computer’s registry for the malware to access when complete.

The existing KopiLuwak analogues, the .NET RocketMan Trojan and the PowerShell MiamiBeach Trojan, are also specially designed for cyberespionage. Researchers believe that these versions are deployed against targets with security software that is able to detect KopiLuwak. Upon successful installation, all three KopiLuwak analogues can:

• Fingerprint targets to understand what kind of computer has been infected
• Gather information on system and network adapters
• Steal files
• Download and execute additional malware
• Take screenshots via MiamiBeach

“In 2019, Turla emerged with an upgraded toolset, introducing a number of new features suspected to minimize detection by security solutions and researchers,” said Kurt Baumgartner, principal security researcher at Kaspersky. “These enhancements include reducing the malware’s digital footprint and the creation of two different, but similar, versions of the well-known KopiLuwak malware. The abuse of installation packs for VPN software that can bypass internet censorship suggests the attackers have clearly defined cyberespionage targets for these tools. The continued evolution of Turla’s arsenal is a good reminder of the need for threat intelligence and security software like endpoint protection that can defend against the latest tools and techniques used by APTs.”

For more information, read the full report on Securelist.