Tunnus

Tunnus is a type of malware, or malicious software, that has been identified as potentially harmful to computer systems and devices. Identified by the SHA-256 hash 046f11a6c561e46e6bf199ab7f50e74a4d2aaead68cdbd6ce44b37b5b4964758, Tunnus uses the same RC4 implementation as TunnusSched and Topinambour. These programs are written in JavaScript and .NET and can infiltrate systems through suspicious downloads, emails, or websites. Once inside, they have the ability to steal personal information, disrupt operations, or hold data hostage for ransom. The Tunnus malware, along with similar tools like TunnusSched (also known as QUIETCANARY), RocketMan, and Topinambour, has been linked to the cyber threat actor group Tomiris. In 2019, it was discovered that these tools were used against government victims in Russia, suggesting a high likelihood that Tunnus is part of Tomiris's arsenal. There is also speculation that these tools could be the exclusive property of Tomiris. QUIETCANARY, a lightweight .NET backdoor, has been primarily used by UNC4120 to gather and exfiltrate data from victims. However, due to the open nature of their source code, there is a possibility that other threat actors may have repurposed these tools under a false flag. The unique RC4 implementation in these samples results in strictly identical .NET bytecode, which seems to be unique to Tunnus, TunnusSched, and Topinambour. Despite some confusion in naming conventions between different reporting entities, tracking of these malicious software variants has been ongoing since at least 2019, underscoring the persistent threat they pose.