Telemiris

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Telemiris is a malware identified as a Python backdoor that uses Telegram as a command-and-control (C2) channel. It was originally packed with PyInstaller, but later instances of Nuitka-packaged samples were also identified. Telemiris is primarily used as a first-stage implant by operators to deploy other tools such as Roopy, JLORAT, or even the legitimate WinSCP binary, to further exfiltrate files. Once deployed, Telemiris responds with "Файл загружен!" ("File downloaded!"). On September 13, 2022, at around 05:40 UTC, an operator attempted to deploy several known Tomiris implants via Telemiris. The deployment process involved first a Python Meterpreter loader, then JLORAT and Roopy. Our telemetry shows that this TunnusSched malware, with MD5 hash C49DBF390E876E926A338EA07AC5D4A7, was deployed from Tomiris's Telemiris. Kaspersky's investigation has revealed overlaps between these attacks and a Turla cluster tracked by Google-owned Mandiant under the name UNC4210. The research uncovered that the QUIETCANARY (aka TunnusSched) implant had been deployed against a government target in the CIS region using Telemiris. This information provides significant indicators of compromise for Telemiris, aiding in future detection and prevention efforts.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Tomiris
1
Tomiris is a malicious software (malware) group that has been active since before 2019. Known for its use of the QUIETCANARY backdoor, Tomiris has expanded its capabilities and influence within the region, targeting government entities and other high-value targets. The group has shown a particular i
Tunnussched
1
TunnusSched is a malicious software (malware) that has been used by the Advanced Persistent Threat (APT) group known as Tomiris. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is capable of stealing personal information, disrupting operations, and even h
QUIETCANARY
1
Quietcanary is a malicious software (malware) that has been exploited by threat groups such as Pensive Ursa and Tomiris. The malware, known for its backdoor capabilities, has been in use since at least 2019, with Pensive Ursa deploying it against targets in Ukraine in September 2022, often in conjun
Unc4210
1
UNC4210 is a malicious software (malware) discovered by Mandiant in September 2022, suspected to be an operation of the Turla Team. This malware was identified as it re-registered three expired ANDROMEDA command and control (C2) domains and began selectively deploying KOPILUWAK and QUIETCANARY to vi
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Kaspersky
Implant
Backdoor
Downloader
Rat
Loader
Malware
Telegram
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
MeterpreterUnspecified
1
Meterpreter, a type of malware, is an attack payload of Metasploit that serves as an interactive shell, enabling threat actors to control and execute code on a system. Advanced Persistent Threat (APT) actors have created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, liste
Tomiris’s TelemirisUnspecified
1
Tomiris's Telemiris is a potent malware that has been discovered to deploy TunnusSched, another malicious software. This harmful program is designed to infiltrate and damage computer systems, often without the user's knowledge. It can infect systems through suspicious downloads, emails, or websites.
SbzUnspecified
1
SBZ is a potent piece of malware, characterized as a file stealer with the SHA-256 hash 80721e6b2d6168cf17b41d2f1ab0f1e6e3bf4db585754109f3b7ff9931ae9e5b. The discovery of this malware was facilitated by its similarity to the signatures associated with the Equation malware family. Its coding style an
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TurlaUnspecified
1
Turla, also known as Pensive Ursa, is a notable threat actor group linked to Russia. This sophisticated hacking team has been active for several years and is known for its advanced persistent threat (APT) activities. Turla's operations are characterized by the use of complex malware and backdoor exp
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Telemiris TelemirisUnspecified
1
None
Source Document References
Information about the Telemiris Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Tomiris called, they want their Turla malware back
CERT-EU
a year ago
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering
CERT-EU
a year ago
Tomiris called, they want their Turla malware back - GIXtools
CERT-EU
a year ago
Kaspersky Analyzes Links Between Russian State-Sponsored APTs
CERT-EU
a year ago
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting