Turla group updated its arsenal with a set of tools for attacking government structures.In particular, attackers use a dropper called Topinambour, used in the first stage of attacks. After installation, it downloads other malware to the system that Turla uses to access target networks and extract data.
According to Kaspersky Lab, criminals use legitimate software installers infected with a “Topinambour” dropper to distribute new modules. These can be tools to bypass Internet censorship, such as Softether VPN 4.12 and psiphon3, or Microsoft Office activators. The latter usepirates to activate Microsoft Office without having to buy a key.
The Russian-speaking hacker group Turla (Snake, Venomous Bear, Waterbug and Uroboros) is famous for its attacks on Western governments, as well as embassies and consulates in the countries of the former Soviet Union.
“Topinambour contains a “tiny .NET shell that waits for commands from the C & C server and executes them. The C & C infrastructure itself is hosted on compromised WordPress sites and cloud services”, – told experts of Kaspersky Lab.
Using the “net use” and “copy” commands, campaign operators distribute malicious modules of the next stage – the KopiLuwak tool, as well as the new MiamiBeach and RocketMan! Trojans written in PowerShell and .NET.
MiamiBeach and RocketMan! download and execute files, and also collect information about the system. In addition, the PowerShell version is capable of taking screenshots. They also download the final, more sophisticated malicious module that can execute commands received from the C & C server.
“It’s a bit surprising, amusing and not entirely clear why the developers have used some seemingly US-related strings such as “RocketMan!”, “TrumpTower” or “make_some_noise”. They are hardly likely to serve as false flags. The usage of KopiLuwak, a well-known and exclusive artefact previously used by the Turla group, makes us attribute this campaign to this actor with high confidence”, — report researchers.