Wednesday, July 17, 2024

Turla APT Hackers Upgraded Its Arsenal with New Hacking Tool “Topinambour” to Attack Government Networks

Infamous Turla APT Hackers group renew its arsenal with a new hacking tool named “Topinambour ” also called as aka Sunchoke that is mainly used to target and compromise the government networks.

The newly added tool started using at the beginning of 2019, and the malware authors named it as Tonpinambour by themselves for this renewed hacking tool.

Turla APT group also known as Venomous Bear or Waterbug which is actively attacking various government network since 2004 especially in the Middle East, Central and Far East Asia, Europe, North and South America.

Turla is also responsible for some of the high-profile breaches including United States Central Command in 2008, Swiss military company RUAG in 2014, French Armed Forces in 2018 and the APT has actively attacked more than a decade.

In this campaign, this renewed tool relaying with .NET module which is intended to deliver the known KopiLuwak JavaScript Trojan and also it has heavily obfuscated PowerShell Trojan.

Threat actors randomly using various strings within this .NET module including “TrumpTower”, “RocketMan, “MiamiBeach” and is used as an initial message from compromised victims to control server, compromised WordPress websites where threat actor injected the .php scripts.

Topinambour Infection Process

The initial stage of an attack, threat actors using legitimate software installer that already infected by Topinambour dropper, which is one of the effective methods to bypass the internet censorship.

This dropper holding the .NET shell that will wait for Windows shell commands from threat actors. Using this .NET shell and rented SMB shares on virtual private servers (VPS), threat actors launch the next stage of malware using Windows shell commands such as “net use” and “copy”.

In this case, researchers stated that “It’s hard to believe, but SMB still works through public networks.” and the campaign-related VPSs are located in South Africa.

According to Kaspersky Research, ” The purpose of all this infrastructure and modules in JavaScript, .NET and PowerShell is to build a “fileless” module chain on the victim’s computer consisting of an initial small runner and several Windows system registry values containing the encrypted remote administration tool. The tool does all that a typical Trojan needs to accomplish: upload, download and execute files, fingerprint target systems. “

Threat actors creatively using a “make_some_noise()”, a remote shell persistence function to avoid detection from security detection software.

Tiny .NET shell receives the Windows shell commands from the Command & Control server and silently execute them.

Later, KopiLuwak dropper is ready to launch into the victim’s machine .NET remote shell silently downloads scripts from the C2 server using “Net use” and “copy” Windows shell commands and eventually victims infected with KopiLuwak obfuscated JavaScript.

“The downloaded script takes a binary from the Windows registry and runs it. The registry subkeys and values vary from target to target.”

Researchers believe that the development of KopiLuwak’s PowerShell and .NET modules to prevent the detection of the javascript version.

“Using the Windows system registry to store encrypted data that is later used by the malware also seems to be aimed at minimizing detection and reducing the digital footprint on any victim’s computer,” Kaspersky reported.

Indicators of compromise

Some campaign-related MD5 hashes


Domains and IP’sVPSs used as control servers

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Also Read:

Turla APT Hackers Attack Microsoft Exchange Server using Powerful Malware to Spying on Emails

Turla Mosquito Hacking Group Exploiting Backdoor Using Metasploit To Compromise the Target System


Latest articles

Volcano Demon Group Attacking Organizations With LukaLocker Ransomware

The Volcano Demon group has been discovered spreading a new ransomware called LukaLocker, which...

Resonance Security Launches Harmony to Monitor and Detect Threats to Web2 and Web3 Apps

Quick take:Harmony is the fourth cybersecurity application Resonance developed to address the disconnect in...

Beware! of New Phishing Tactics Mimic as HR Attacking Employees

Phishing attacks are becoming increasingly sophisticated, and the latest strategy targeting employees highlights this...

MirrorFace Attacking Organizations Exploiting Vulnerabilities In Internet-Facing Assets

MirrorFace threat actors have been targeting media, political organizations, and academic institutions since 2022,...

HardBit Ransomware Using Passphrase Protection To Evade Detection

In 2022, HardBit Ransomware emerged as version 4.0. Unlike typical ransomware groups, this ransomware...

New Poco RAT Weaponizing 7zip Files Using Google Drive

The hackers weaponize 7zip files to pass through security measures and deliver malware effectively.These...

New ShadowRoot Ransomware Attacking Business Via Weaponized PDF’s

X-Labs identified basic ransomware targeting Turkish businesses, delivered via PDF attachments in suspicious emails...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles