Russia-linked Turla APT revamps arsenal to avoid detection with fileless malware

The hacking group has developed new forms of malware to avoid detection from software programs such as VPNs.

A Russia-linked hacking group has "revamped its arsenal" by adding new features to minimise detection by security solutions and researchers.

That's according to Kaspersky, which has been investigating the way in which threat actor Turla launches attacks against government and diplomatic groups.

They claim that the group has revamped its toolset by wrapping its JavaScript KopiLuwak malware in a new dropper called Topinambour to create two similar versions in different languages.

The researchers said that the malware was then distributed via infected installation packs for software that circumvents internet censorship and that these measures are designed to minimise detection and precision target victims.

Researchers first spotted Topinambour at the start of 2019, when it was being used by hackers to target government entities and other diplomatic targets.

The malware, which is named after the vegetable better known as the Jerusalem artichoke, is comprised of a Microsoft .NET file that distributes Turla's JavaScript KopiLuwak through infected installation packages for VPNs and other forms of software.

"KopiLuwak is designed for cyberespionage and Turla's latest infection process includes techniques that help the malware to avoid detection," explained Kaspersky in a media announcement.

"For example, the command and control infrastructure has IPs that appear to mimic ordinary LAN addresses. Further, the malware is almost completely ‘fileless' - the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer's registry for the malware to access when ready."

Kaspersky added that the two KopiLuwak analogues (the .NET RocketMan Trojan and the PowerShell MiamiBeach Trojan) were also "designed for cyber espionage" and that these versions are "deployed against targets with security software installed to detect KopiLuwak".

All three versions can:

• Fingerprint targets, to understand what kind of computer has been infected;
• Gather information on system and network adapters;
• Steal files;
• Download and execute additional malware;
• MiamiBeach is also able to take screenshots.

Kurt Baumgartner, principal security researcher at Kaspersky, said: "In 2019, Turla emerged with a revamped toolset, introducing a number of new features possibly to minimise detection by security solutions and researchers.

"These include reducing the malware's digital footprint, and the creation of two different but similar versions of the well-known KopiLuwak malware. The abuse of installation packs for VPN software that can circumvent internet censorship suggests the attackers have clearly defined cyber espionage targets for these tools."