Turla APT Returns with New Malware, Anti-Censorship Angle

turla apt Topinambour

A dropper called “Topinambour” is the first-stage implant, which in turn fetches a spy trojan built in several coding languages.

The Turla APT has revamped its arsenal in 2019, creating new weapons and tools for targeting government entities. It’s now using booby-trapped anti-internet censorship software as an initial infection vector, suggesting Turla is going after dissident or other civil-society targets.

The Russian-speaking actors believed behind Turla named the dropper “Topinambour,” which is another word for the Jerusalem artichoke (a.k.a. the sunchoke). Since January, Topinambour has become the first-stage implantation for Turla campaigns. Once installed, it fetches all the other malware that the group uses to gain access to target networks and exfiltrate information.

“To deliver [the new modules] to targets, the operators use legitimate software installers infected with the Topinambour dropper,” researchers at Kaspersky wrote in a malware analysis on Monday. “These could be tools to circumvent internet censorship, such as Softether VPN 4.12 and psiphon3, or Microsoft Office activators.” The latter are exceptions to the anti-censorship ploys and are used by software pirates to activate the Microsoft Office suite without having to buy the actual product key.

The abuse of installation packs for VPN software, which can bypass internet censorship, suggests the attackers have clearly defined cyberespionage targets for these tools, the firm added.

Russian-speaking Turla (a.k.a. Snake, Venomous Bear, Waterbug and Uroboros) is known for spy campaigns targeting Western governments as well as embassies and consulates in post-Soviet states. It’s been active since at least 2014 (and possibly earlier) developing a range of custom backdoors to carry out its work. It continually evolves both in terms of malware and targets.

The Topinambour dropper contains what Kaspersky calls a “tiny .NET shell” that will wait for Windows shell commands from the command-and-control server (C2) and silently execute them. The C2 infrastructure is hosted on compromised WordPress sites and on cloud services.

“Using this and SMB shares on rented virtual private servers (VPS) [in South Africa], the campaign operators spread the next-stage modules using just ‘net use’ and ‘copy’ Windows shell commands,” the researchers noted.

One of these next-stage modules is an already-known Turla tool, the KopiLuwak JavaScript trojan, but more interestingly, Turla has crafted heavily obfuscated PowerShell and .NET trojans that are similar to KopiLuwak, the analysis found. Both (dubbed MiamiBeach and RocketMan!, respectively) were used in an active campaign that started at the beginning of 2019.

Click to enlarge.

The researchers hypothesize that one of the reasons for creating similar trojans in different languages could be to avoid detection. “If one version is detected on the victim’s computer, the operators can try an analogue in a different language,” they explained. “The reason behind the development of KopiLuwak’s PowerShell and .NET analogues may be simply to minimize detection of the well-known, publicly discussed JavaScript versions.”

The trojans upload, download and execute files, and fingerprint target systems. The PowerShell version of the trojan also has the ability to capture screenshots. They communicate with the C2 from an opened SMB share on a remote CELL-C VPS in South Africa.

And, they also retrieve a final-stage, more complex trojan, able to parse and execute custom commands from the C2, the researchers added. During the final stage of infection, this encrypted trojan for remote administration is embedded into the computer’s registry for the malware to access when complete.

“The purpose of all this infrastructure and modules in JavaScript, .NET and PowerShell is to build a fileless module chain on the victim’s computer consisting of an initial small runner and several Windows system registry values containing the encrypted remote administration tool,” the researchers wrote. “Using the Windows system registry to store encrypted data that is later used by the malware also seems to be aimed at minimizing detection and reducing the digital footprint on any victim’s computer, where only a tiny starter would be left.”

Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More


Suggested articles