Turla Hacking Group Hides Malware in Anti-Internet Censorship Software

Woburn, MA – July 15, 2019 – Kaspersky researchers have discovered a new malware distribution technique from Russian-speaking threat actor, Turla, exposing the group for integrating their signature JavaScript KopiLuwak malware in a new dropper named Topinambour. First spotted in early 2019 in an operation against government entities, this highly specialized malware creates two similar versions in different languages to distribute the infection throughout installation packs for software that circumvents internet censorship. Researchers believe these tactics are designed to minimize detection and more precisely target victims.

Topinambour’s new .NET file distributes and drops its JavaScript KopiLuwak through infected installation packages for legitimate software programs such as VPNs in an attempt to bypass internet restrictions. KopiLuwak, which was previously designed specifically for cyberespionage, leverages Turla’s infection process to avoid detection by gaining access to command and control infrastructure IPs that appear to mimic ordinary LAN addresses. Additionally, Topinambour’s malware is almost completely ‘fileless’ making it more challenging to detect. During the final stage of infection, an encrypted Trojan for remote administration is embedded into the computer’s registry for the malware to access when complete.

The existing KopiLuwak analogues, the .NET RocketMan Trojan and the PowerShell MiamiBeach Trojan, are also specially designed for cyberespionage. Researchers believe that these versions are deployed against targets with security software that is able to detect KopiLuwak. Upon successful installation, all three KopiLuwak analogues can:

• Fingerprint targets to understand what kind of computer has been infected
• Gather information on system and network adapters
• Steal files
• Download and execute additional malware
• Take screenshots via MiamiBeach

“In 2019, Turla emerged with an upgraded toolset, introducing a number of new features suspected to minimize detection by security solutions and researchers,” said Kurt Baumgartner, principal security researcher at Kaspersky. “These enhancements include reducing the malware’s digital footprint and the creation of two different, but similar, versions of the well-known KopiLuwak malware. The abuse of installation packs for VPN software that can bypass internet censorship suggests the attackers have clearly defined cyberespionage targets for these tools. The continued evolution of Turla’s arsenal is a good reminder of the need for threat intelligence and security software like endpoint protection that can defend against the latest tools and techniques used by APTs.”

For more information, read the full report on Securelist.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Media Contact: 
Gayle Landry 
Gayle.Landry@kaspersky.com
781-503-1874