KOPILUWAK

Malware updated 5 months ago (2024-05-04T17:17:40.360Z)

Download STIX

Preview STIX

KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX created and executed KopiLuwak from a specific file path, enabling it to infiltrate systems undetected. Both KopiLuwak and another malware, QUIETCANARY, were downloaded successively at different times, suggesting potential haste or operational deficiency on the part of the attackers. This pattern of activity aligns with Turla’s historical reuse of tools and malware ecosystems, including KopiLuwak, in cyber operations. In one notable instance, UNC4210, a suspected cluster of the Turla Team, used KopiLuwak as a "first-stage" profiling utility following the use of another malware, ANDROMEDA. Through KopiLuwak, UNC4210 conducted basic network reconnaissance on the victim machine, looking for all current TCP connections and network shares. The ANDROMEDA-injected process then downloaded and executed a WinRAR SFX containing KopiLuwak to a specific file path. Following extensive victim profiling by KopiLuwak, the ANDROMEDA injected process made a GET request to a specific URL which downloaded and executed QUIETCANARY. Two days after the initial execution and reconnaissance performed with KopiLuwak, Mandiant detected UNC4210 downloading QUIETCANARY to a host twice, but only executing commands through it on the second time. These actions highlight the complex and multi-stage nature of these cyber attacks, with KopiLuwak serving as a key tool in the attackers' arsenal.

Description last updated: 2024-05-04T16:46:33.950Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Tunnussched is a possible alias for KOPILUWAK. TunnusSched is a malicious software (malware) that has been used by the Advanced Persistent Threat (APT) group known as Tomiris. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is capable of stealing personal information, disrupting operations, and even h	2
Tomiris is a possible alias for KOPILUWAK. Tomiris is a malware group that has been active since at least 2019, known for using the backdoor QUIETCANARY. The group has also used Turla malware, indicating a possible cooperation or shared expertise between Tomiris and Turla. A significant development was observed in September 2022 when a Tunnu	2
Topinambour is a possible alias for KOPILUWAK. Topinambour is a type of malware, malicious software designed to exploit and damage computer systems, typically delivered through suspicious downloads, emails, or websites. It was first associated with the hacking group Pensive Ursa in 2019, which utilized Topinambour as a dropper to deliver another	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Apt

Dropper

Backdoor

Reconnaissance

JavaScript

Payload

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The QUIETCANARY Malware is associated with KOPILUWAK. Quietcanary is a malicious software (malware) that has been exploited by threat groups such as Pensive Ursa and Tomiris. The malware, known for its backdoor capabilities, has been in use since at least 2019, with Pensive Ursa deploying it against targets in Ukraine in September 2022, often in conjun	Unspecified	3
The ANDROMEDA Malware is associated with KOPILUWAK. Andromeda is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data ho	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Turla Threat Actor is associated with KOPILUWAK. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (	Unspecified	4

Source Document References

Information about the KOPILUWAK Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
MITRE	10 months ago	Turla: A Galaxy of Opportunity
MITRE	2 years ago	Introducing WhiteBear
InfoSecurity-magazine	a year ago	Tomiris and Turla APT Groups Collaborate to Target Government Entities
CERT-EU	a year ago	Tomiris called, they want their Turla malware back
CERT-EU	a year ago	Tomiris called, they want their Turla malware back - GIXtools
CERT-EU	a year ago	Tangled Up: 'Tomiris' APT Uses Turla Malware, Confusing Researchers
Unit42	a year ago	Threat Group Assessment: Turla (aka Pensive Ursa)
CERT-EU	a year ago	IT threat evolution in Q2 2023 – GIXtools
CERT-EU	a year ago	IT threat evolution Q2 2023
MITRE	2 years ago	Shedding Skin - Turla’s Fresh Faces \| Securelist
CERT-EU	a year ago	Tomoris links to APT behind SolarWinds attack put to rest
CERT-EU	a year ago	Kaspersky Analyzes Links Between Russian State-Sponsored APTs