KOPILUWAK

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX created and executed KopiLuwak from a specific file path, enabling it to infiltrate systems undetected. Both KopiLuwak and another malware, QUIETCANARY, were downloaded successively at different times, suggesting potential haste or operational deficiency on the part of the attackers. This pattern of activity aligns with Turla’s historical reuse of tools and malware ecosystems, including KopiLuwak, in cyber operations. In one notable instance, UNC4210, a suspected cluster of the Turla Team, used KopiLuwak as a "first-stage" profiling utility following the use of another malware, ANDROMEDA. Through KopiLuwak, UNC4210 conducted basic network reconnaissance on the victim machine, looking for all current TCP connections and network shares. The ANDROMEDA-injected process then downloaded and executed a WinRAR SFX containing KopiLuwak to a specific file path. Following extensive victim profiling by KopiLuwak, the ANDROMEDA injected process made a GET request to a specific URL which downloaded and executed QUIETCANARY. Two days after the initial execution and reconnaissance performed with KopiLuwak, Mandiant detected UNC4210 downloading QUIETCANARY to a host twice, but only executing commands through it on the second time. These actions highlight the complex and multi-stage nature of these cyber attacks, with KopiLuwak serving as a key tool in the attackers' arsenal.
What's your take? (Question 1 of 5)
3393e81f-6a23-4071-907f-68b734bc78cf Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Tunnussched
2
TunnusSched is a malicious software (malware) that has been used by the Advanced Persistent Threat (APT) group known as Tomiris. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is capable of stealing personal information, disrupting operations, and even h
Tomiris
2
Tomiris is a malicious software (malware) group that has been active since before 2019. Known for its use of the QUIETCANARY backdoor, Tomiris has expanded its capabilities and influence within the region, targeting government entities and other high-value targets. The group has shown a particular i
Topinambour
2
Topinambour is a malicious software (malware) that has been linked to the hacking group Turla, as reported by Kaspersky and Securelist. This malware, identified by SHA-256 29314f3cd73b81eda7bd90c66f659235e6bb900e499c9cc7057d10a9083a0b94, is known for its ability to exploit and damage computers or de
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Backdoor
Dropper
Reconnaissance
Payload
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
QUIETCANARYUnspecified
3
Quietcanary is a malicious software (malware) that has been exploited by threat groups such as Pensive Ursa and Tomiris. The malware, known for its backdoor capabilities, has been in use since at least 2019, with Pensive Ursa deploying it against targets in Ukraine in September 2022, often in conjun
ANDROMEDAUnspecified
2
Andromeda is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data ho
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TurlaUnspecified
4
Turla, also known as Pensive Ursa, Snake, Uroburos, Waterbug, Venomous Bear, and KRYPTON, is a threat actor that has been active since at least 2004. This group, which is believed to be Russia-sponsored, primarily targets diplomatic and government organizations, private businesses, and non-governmen
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the KOPILUWAK Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Shedding Skin - Turla’s Fresh Faces | Securelist
Unit42
8 months ago
Threat Group Assessment: Turla (aka Pensive Ursa)
MITRE
6 months ago
Turla: A Galaxy of Opportunity
CERT-EU
a year ago
Tomiris called, they want their Turla malware back
CERT-EU
a year ago
Tomiris called, they want their Turla malware back - GIXtools
CERT-EU
a year ago
Tomoris links to APT behind SolarWinds attack put to rest
CERT-EU
a year ago
Kaspersky Analyzes Links Between Russian State-Sponsored APTs
MITRE
a year ago
Introducing WhiteBear
CERT-EU
9 months ago
IT threat evolution Q2 2023
CERT-EU
9 months ago
IT threat evolution in Q2 2023 – GIXtools
InfoSecurity-magazine
a year ago
Tomiris and Turla APT Groups Collaborate to Target Government Entities
CERT-EU
a year ago
Tangled Up: 'Tomiris' APT Uses Turla Malware, Confusing Researchers