Researchers have identified a new trojan, named Topinambour, deployed by the advanced persistent threat (APT) group Turla. It is a first-stage dropper used to install additional malware on an infected system. The group's targets are clearly defined, focusing on diplomatic and government entities. The trojan is spread through a victim’s use of legitimate, yet compromised software installers, such as those for anti-censorship programs like VPNs (virtual private networks). Once Topinambour is installed, it detects and calls out to other malware in order to gain further access to target network and exfiltrate information. During the final stage of the infection, the trojan is encrypted and embedded into the computer’s registry for later retrieval, minimizing detection. The operation allows the Turla group to upload, download, and execute files, capture screenshots, and ultimately fingerprint the targets’ systems.

Technical details and reporting:

For further analysis and technical details, users can read the SecureList report.