KOPILUWAK

Malware updated 23 days ago (2024-11-29T13:30:43.494Z)
Download STIX
Preview STIX
KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX created and executed KopiLuwak from a specific file path, enabling it to infiltrate systems undetected. Both KopiLuwak and another malware, QUIETCANARY, were downloaded successively at different times, suggesting potential haste or operational deficiency on the part of the attackers. This pattern of activity aligns with Turla’s historical reuse of tools and malware ecosystems, including KopiLuwak, in cyber operations. In one notable instance, UNC4210, a suspected cluster of the Turla Team, used KopiLuwak as a "first-stage" profiling utility following the use of another malware, ANDROMEDA. Through KopiLuwak, UNC4210 conducted basic network reconnaissance on the victim machine, looking for all current TCP connections and network shares. The ANDROMEDA-injected process then downloaded and executed a WinRAR SFX containing KopiLuwak to a specific file path. Following extensive victim profiling by KopiLuwak, the ANDROMEDA injected process made a GET request to a specific URL which downloaded and executed QUIETCANARY. Two days after the initial execution and reconnaissance performed with KopiLuwak, Mandiant detected UNC4210 downloading QUIETCANARY to a host twice, but only executing commands through it on the second time. These actions highlight the complex and multi-stage nature of these cyber attacks, with KopiLuwak serving as a key tool in the attackers' arsenal.
Description last updated: 2024-05-04T16:46:33.950Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Tunnussched is a possible alias for KOPILUWAK. TunnusSched is a malicious software (malware) that has been used by the Advanced Persistent Threat (APT) group known as Tomiris. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is capable of stealing personal information, disrupting operations, and even h
2
Tomiris is a possible alias for KOPILUWAK. Tomiris is a malware group that has been active since at least 2019, known for using the backdoor QUIETCANARY. The group has also used Turla malware, indicating a possible cooperation or shared expertise between Tomiris and Turla. A significant development was observed in September 2022 when a Tunnu
2
Topinambour is a possible alias for KOPILUWAK. Topinambour is a type of malware, malicious software designed to exploit and damage computer systems, typically delivered through suspicious downloads, emails, or websites. It was first associated with the hacking group Pensive Ursa in 2019, which utilized Topinambour as a dropper to deliver another
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Dropper
Backdoor
Reconnaissance
JavaScript
Payload
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The QUIETCANARY Malware is associated with KOPILUWAK. Quietcanary is a malicious software (malware) that has been exploited by threat groups such as Pensive Ursa and Tomiris. The malware, known for its backdoor capabilities, has been in use since at least 2019, with Pensive Ursa deploying it against targets in Ukraine in September 2022, often in conjunUnspecified
3
The ANDROMEDA Malware is associated with KOPILUWAK. Andromeda is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hoUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Turla Threat Actor is associated with KOPILUWAK. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
4
Source Document References
Information about the KOPILUWAK Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more