New Malware Utilizing Anti-Censorship Software to Infect Targets
Researchers have identified a new trojan, named Topinambour, deployed by the advanced persistent threat (APT) group Turla. It is a first-stage dropper used to install additional malware on an infected system. The group's targets are clearly defined, focusing on diplomatic and government entities. The trojan is spread through a victim’s use of legitimate, yet compromised software installers, such as those for anti-censorship programs like VPNs (virtual private networks). Once Topinambour is installed, it detects and calls out to other malware in order to gain further access to target networks and exfiltrate information. During the final stage of the infection, the trojan is encrypted and embedded into the computer’s registry for later retrieval, minimizing detection. The operation allows the Turla group to upload, download, and execute files, capture screenshots, and ultimately fingerprint the targets’ systems. For further analysis and technical details, please review the Threatpost article. The NJCCIC recommends organizations who may be considered targets for APT activity ensure they employ a defense-in-depth cybersecurity strategy, keep anti-virus/anti-malware updated and running, and follow the Principle of Least Privilege.