Topinambour

Malware updated 4 months ago (2024-05-04T19:18:27.004Z)

Download STIX

Preview STIX

Topinambour is a malicious software (malware) that has been linked to the hacking group Turla, as reported by Kaspersky and Securelist. This malware, identified by SHA-256 29314f3cd73b81eda7bd90c66f659235e6bb900e499c9cc7057d10a9083a0b94, is known for its ability to exploit and damage computers or devices, infiltrating systems through suspicious downloads, emails, or websites. Notably, it has been found hidden in anti-internet censorship software, reflecting the sophisticated tactics employed by the perpetrators. The emergence of Topinambour was first noted in 2019 when the threat actor Pensive Ursa began using it as a dropper to deliver another malware, Kopiluwak. This activity was detected by security platforms like Cortex XDR, which displayed execution prevention and detection alerts related to Topinambour. The malware shares code similarities with other malicious tools such as TunnusSched and RocketMan, specifically the same RC4 implementation, indicating interconnectedness among these implants. Furthermore, there's strong evidence suggesting that Topinambour, along with other tools like Tunnus, TunnusSched (QUIETCANARY), and RocketMan, may have been used exclusively by another threat actor, Tomiris. This assumption is based on the discovery of government victims in Russia in 2019. The intricate web of connections between these various pieces of malware and their shared attributes underscores the complexity of the cybersecurity threats posed by groups like Turla.

Description last updated: 2024-05-04T18:49:14.102Z

What's your take? (Question 1 of 1)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
KOPILUWAK	2	KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Turla	Unspecified	2	Turla, a threat actor linked to Russia, is known for its sophisticated cyber-espionage activities. It has been associated with numerous high-profile attacks, employing innovative techniques and malware to infiltrate targets and execute actions with malicious intent. According to MITRE ATT&CK and MIT

Source Document References

Information about the Topinambour Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	10 months ago	Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla)
CERT-EU	a year ago	Tomiris called, they want their Turla malware back - GIXtools
Unit42	a year ago	Threat Group Assessment: Turla (aka Pensive Ursa)
CERT-EU	a year ago	Tomiris called, they want their Turla malware back