Tunnus

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Tunnus is a type of malware, or malicious software, that has been identified as potentially harmful to computer systems and devices. Identified by the SHA-256 hash 046f11a6c561e46e6bf199ab7f50e74a4d2aaead68cdbd6ce44b37b5b4964758, Tunnus uses the same RC4 implementation as TunnusSched and Topinambour. These programs are written in JavaScript and .NET and can infiltrate systems through suspicious downloads, emails, or websites. Once inside, they have the ability to steal personal information, disrupt operations, or hold data hostage for ransom. The Tunnus malware, along with similar tools like TunnusSched (also known as QUIETCANARY), RocketMan, and Topinambour, has been linked to the cyber threat actor group Tomiris. In 2019, it was discovered that these tools were used against government victims in Russia, suggesting a high likelihood that Tunnus is part of Tomiris's arsenal. There is also speculation that these tools could be the exclusive property of Tomiris. QUIETCANARY, a lightweight .NET backdoor, has been primarily used by UNC4120 to gather and exfiltrate data from victims. However, due to the open nature of their source code, there is a possibility that other threat actors may have repurposed these tools under a false flag. The unique RC4 implementation in these samples results in strictly identical .NET bytecode, which seems to be unique to Tunnus, TunnusSched, and Topinambour. Despite some confusion in naming conventions between different reporting entities, tracking of these malicious software variants has been ongoing since at least 2019, underscoring the persistent threat they pose.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
QUIETCANARY
2
Quietcanary is a malicious software (malware) that has been exploited by threat groups such as Pensive Ursa and Tomiris. The malware, known for its backdoor capabilities, has been in use since at least 2019, with Pensive Ursa deploying it against targets in Ukraine in September 2022, often in conjun
Tunnussched
1
TunnusSched is a malicious software (malware) that has been used by the Advanced Persistent Threat (APT) group known as Tomiris. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is capable of stealing personal information, disrupting operations, and even h
Topinambour
1
Topinambour is a malicious software (malware) that has been linked to the hacking group Turla, as reported by Kaspersky and Securelist. This malware, identified by SHA-256 29314f3cd73b81eda7bd90c66f659235e6bb900e499c9cc7057d10a9083a0b94, is known for its ability to exploit and damage computers or de
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RocketmanUnspecified
1
RocketMan is a type of malware, short for malicious software, which is designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once it gains access, RocketMan can steal personal information, dis
TomirisUnspecified
1
Tomiris is a malicious software (malware) group that has been active since before 2019. Known for its use of the QUIETCANARY backdoor, Tomiris has expanded its capabilities and influence within the region, targeting government entities and other high-value targets. The group has shown a particular i
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Topinambour RocketmanUnspecified
1
None
Tunnussched TunnusUnspecified
1
None
Tunnussched QuietcanaryUnspecified
1
None
Source Document References
Information about the Tunnus Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
7 months ago
Turla: A Galaxy of Opportunity
CERT-EU
a year ago
Tomiris called, they want their Turla malware back
CERT-EU
a year ago
Tomiris called, they want their Turla malware back - GIXtools
Unit42
10 months ago
Threat Group Assessment: Turla (aka Pensive Ursa)