Topinambour

Malware updated a month ago (2024-10-08T12:00:57.579Z)

Download STIX

Preview STIX

Topinambour is a type of malware, malicious software designed to exploit and damage computer systems, typically delivered through suspicious downloads, emails, or websites. It was first associated with the hacking group Pensive Ursa in 2019, which utilized Topinambour as a dropper to deliver another malware known as Kopiluwak. The malware is typically dropped as a small .NET file in the %localappdata% folder and written as a scheduled task upon installation. Alerts for its execution prevention and detection have been shown in Cortex XDR, a cybersecurity platform. The Topinambour malware shares code similarities with other malicious programs like TunnusSched, Tunnus, and RocketMan, particularly in their RC4 implementation. This suggests a common origin or developer behind these tools. These similarities, along with its connection to KopiLuwak, indicate that all these implants are interconnected. Furthermore, there's evidence suggesting that these tools may be exclusively owned by another hacking group named Tomiris, considering the discovery of government victims in Russia in 2019. The Turla hacking group has also been linked to Topinambour. They have reportedly renewed their arsenal with this malware, using it to hide in anti-internet censorship software, as per Kaspersky's Securelist report. This strategy allows the malware to infect systems undetected, thus expanding its reach and potential impact. With these connections and shared characteristics, Topinambour represents a significant threat in the landscape of cyber threats.

Description last updated: 2024-10-08T11:32:59.700Z

What's your take? (Question 1 of 1)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
KOPILUWAK is a possible alias for Topinambour. KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Turla Threat Actor is associated with Topinambour. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (	Unspecified	2

Source Document References

Information about the Topinambour Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	a year ago	Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla)
CERT-EU	2 years ago	Tomiris called, they want their Turla malware back - GIXtools
Unit42	a year ago	Threat Group Assessment: Turla (aka Pensive Ursa)
CERT-EU	2 years ago	Tomiris called, they want their Turla malware back