Cybercriminals from the Bans Turla armed with new malware

Turla group updated its arsenal with a set of tools for attacking government structures.

In particular, attackers use a dropper called Topinambour, used in the first stage of attacks. After installation, it downloads other malware to the system that Turla uses to access target networks and extract data.

According to Kaspersky Lab, criminals use legitimate software installers infected with a “Topinambour” dropper to distribute new modules. These can be tools to bypass Internet censorship, such as Softether VPN 4.12 and psiphon3, or Microsoft Office activators. The latter usepirates to activate Microsoft Office without having to buy a key.

Read also: Sodin cryptographer exploits dangerous vulnerability in Windows

The Russian-speaking hacker group Turla (Snake, Venomous Bear, Waterbug and Uroboros) is famous for its attacks on Western governments, as well as embassies and consulates in the countries of the former Soviet Union.

“Topinambour contains a “tiny .NET shell that waits for commands from the C & C server and executes them. The C & C infrastructure itself is hosted on compromised WordPress sites and cloud services”, – told experts of Kaspersky Lab.

Using the “net use” and “copy” commands, campaign operators distribute malicious modules of the next stage – the KopiLuwak tool, as well as the new MiamiBeach and RocketMan! Trojans written in PowerShell and .NET.

MiamiBeach and RocketMan! download and execute files, and also collect information about the system. In addition, the PowerShell version is capable of taking screenshots. They also download the final, more sophisticated malicious module that can execute commands received from the C & C server.

“It’s a bit surprising, amusing and not entirely clear why the developers have used some seemingly US-related strings such as “RocketMan!”, “TrumpTower” or “make_some_noise”. They are hardly likely to serve as false flags. The usage of KopiLuwak, a well-known and exclusive artefact previously used by the Turla group, makes us attribute this campaign to this actor with high confidence”, — report researchers.

According to researchers, creation of Trojans with similar functionality in different languages may be associated with protection against detection. If one version is found on the computer, operators can switch to its analogue in another language. The reason for the development of analogues of KopiLuwak may be to minimize the risks of detecting JavaScript Trojans versions.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button