Topinambour Campaign by Turla APT

Delaware, USA – July 16, 2019 – Since the beginning of the year, notorious Turla APT has been using new tools for cyber espionage distributed through infected installers of the legitimate software. Researchers at Kaspersky Lab analyzed the malware which is called Topinambour by its authors and the infrastructure of campaigns targeted at government agencies. Initially, a small .NET shell is dropped into the target system, which downloads modules and payload from SMB shares on rented virtual private servers located in South Africa. The location of the servers is not accidental since the rented VPS has 197.168.X.X IPs, which can distract the security officer during the analysis of the logs. Topinambour loads one of the versions of trojan almost identical in functionality but written in PowerShell, JavaScript, or .NET. Only two commands are used for this: “Net use” and “copy”. The KopiLuwak trojan is written in JavaScript and receives instructions from hacked WordPress sites. Adversaries use it for downloading and execution of commands, and also for installation of more sophisticated tools. The other two versions are called RocketMan trojan (written on .NET) and MiamiBeach (PowerShell trojan). MiamiBeach differs from the rest of the trojans in that it can take screenshots.

Turla APT is known for its sophisticated tools and unusual ideas during attacks. The development of several functional Trojans with similar functionality is not uncommon among APT groups, so the Fancy Bear group created versions of Zebrocy on AutoIt, Delphi, VB.NET, C #, and Visual C ++. This usually allows attackers to longer avoid detection by antivirus solutions. You can explore techniques used by Turla APT in Threat Detection Marketplace in the MITRE ATT&CK section: