TOPINAMBOUR THE NEW MALWARE DEVELOPED BY Tarla APT GROUP

BACKGROUND:

Before discussing topinambur, first, let us check out the history of it. TurlaAPT which is also known as WaterBug, Venomous Bear and many other names were found using a new dropper in a recent campaign this year. According to the security researchers from Kaspersky.

Dubbed as “Topinambur” the malware is reported to upload and execute malicious files on machines, along with fingerprinting them. Topinambour has modules written in JavaScript, NET, and Power Shell

Researchers believe that the modules are used interchangeably to create different versions of the malware, in case one version is detected in a victim’s machine

How Does it Work?

Malware is distributed through installers of software such as Softether VPN, psiphon3, or Microsoft Office ‘activators.

It consists of modules written in JavaScript, .NET and PowerShell. These modules are used interchangeably to develop different versions of the malware.


NEWS ON SOFTWARE:

In a detailed post, Kaspersky describes the new tools used by Turla APT in a recent campaign in 2019. This mainly includes using the new Topinambour and related modules.

The campaign is reported to have targeted against governments, just like observed in previous campaigns.


THE HARM:

To spread Topinambour, the APT group used installers of legitimate software such as Softether VPN, psiphon3, or Microsoft Office ‘activators.
The malware contains a tiny .NET shell meant for executing Windows shell commands by the actors on infected machines. In addition, they leveraged the SMB protocol on virtual private servers in order to spread other modules.

The .NET module in the malware is used to deliver another well-known JavaScript Trojan, KopiLuwak.
The actors relied on compromised WordPress sites to spread Topinambour.

STRANGE NEWS:

Kaspersky researchers indicate that the new malware contained some references in Topinambour .NET modules.
The researchers said:

“It’s a bit surprising, amusing and not entirely clear why the developers have used some seemingly US-related strings such as “RocketMan!”, “TrumpTower” or “make_some_noise”. They are hardly likely to serve as false flags,”

The researchers concluded:

“The usage of KopiLuwak, a well-known and exclusive artifact previously used by the Turla group, makes us attribute this campaign to this actor with high confidence”

Related Story:

NEW MALWARE(AGENT SMITH) REPLACES LEGIT ANDROID APPS

Stay Tuned For More Updates (IST)

630 total views, 2 views today

Leave a Reply

Your email address will not be published. Required fields are marked *