Tunnussched

Malware updated 4 months ago (2024-05-04T18:13:15.018Z)

Download STIX

Preview STIX

TunnusSched is a malicious software (malware) that has been used by the Advanced Persistent Threat (APT) group known as Tomiris. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is capable of stealing personal information, disrupting operations, and even holding data for ransom. Our telemetry data indicates that this TunnusSched malware was notably deployed from Tomiris's Telemiris. Furthermore, it appears that TunnusSched shares code similarities with another malware known as Topinambour, specifically in their RC4 implementation, resulting in identical .NET bytecode. The TunnusSched sample leveraged by Tomiris (MD5 B38160FC836AD42F1753A0873C844925) closely resembles the one deployed from KopiLuwak according to Mandiant’s reporting (MD5 403876977DFB4AB2E2C15AD4B29423FF). This has led us to believe, with medium-to-high confidence, that both TunnusSched and KopiLuwak are being utilized by Tomiris. These two malwares are part of the same toolset and have been observed to be deployed together. Interestingly, the shared deployment of KopiLuwak and TunnusSched suggests that more actors could potentially access these malware tools. This raises concerns about the potential widespread use of these harmful programs. In addition, the APT group Tomiris has also been observed deploying these attack tools, which were previously linked to another APT group named Turla. This further underscores the need for robust cybersecurity measures to protect against these sophisticated threats.

Description last updated: 2024-05-04T16:46:49.828Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Tomiris	2	Tomiris is a malicious software (malware) group that has been active since before 2019. Known for its use of the QUIETCANARY backdoor, Tomiris has expanded its capabilities and influence within the region, targeting government entities and other high-value targets. The group has shown a particular i
KOPILUWAK	2	KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Turla	Unspecified	2	Turla, a threat actor linked to Russia, is known for its sophisticated cyber-espionage activities. It has been associated with numerous high-profile attacks, employing innovative techniques and malware to infiltrate targets and execute actions with malicious intent. According to MITRE ATT&CK and MIT

Source Document References

Information about the Tunnussched Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	a year ago	Tomiris and Turla APT Groups Collaborate to Target Government Entities
CERT-EU	a year ago	Tomiris called, they want their Turla malware back
CERT-EU	a year ago	Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering
CERT-EU	a year ago	APT trends report Q1 2023 - GIXtools
CERT-EU	a year ago	Crooks show they don't need ChatGPT to scam victims
CERT-EU	a year ago	IT threat evolution Q2 2023
CERT-EU	a year ago	Tomoris links to APT behind SolarWinds attack put to rest
CERT-EU	a year ago	Tangled Up: 'Tomiris' APT Uses Turla Malware, Confusing Researchers
CERT-EU	a year ago	APT trends report Q1 2023
CERT-EU	a year ago	IT threat evolution in Q2 2023 – GIXtools
CERT-EU	a year ago	Tomiris called, they want their Turla malware back - GIXtools
CERT-EU	a year ago	Kaspersky Analyzes Links Between Russian State-Sponsored APTs
CERT-EU	a year ago	Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting