Tunnussched

Malware updated 23 days ago (2024-11-29T14:21:40.482Z)
Download STIX
Preview STIX
TunnusSched is a malicious software (malware) that has been used by the Advanced Persistent Threat (APT) group known as Tomiris. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is capable of stealing personal information, disrupting operations, and even holding data for ransom. Our telemetry data indicates that this TunnusSched malware was notably deployed from Tomiris's Telemiris. Furthermore, it appears that TunnusSched shares code similarities with another malware known as Topinambour, specifically in their RC4 implementation, resulting in identical .NET bytecode. The TunnusSched sample leveraged by Tomiris (MD5 B38160FC836AD42F1753A0873C844925) closely resembles the one deployed from KopiLuwak according to Mandiant’s reporting (MD5 403876977DFB4AB2E2C15AD4B29423FF). This has led us to believe, with medium-to-high confidence, that both TunnusSched and KopiLuwak are being utilized by Tomiris. These two malwares are part of the same toolset and have been observed to be deployed together. Interestingly, the shared deployment of KopiLuwak and TunnusSched suggests that more actors could potentially access these malware tools. This raises concerns about the potential widespread use of these harmful programs. In addition, the APT group Tomiris has also been observed deploying these attack tools, which were previously linked to another APT group named Turla. This further underscores the need for robust cybersecurity measures to protect against these sophisticated threats.
Description last updated: 2024-05-04T16:46:49.828Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Tomiris is a possible alias for Tunnussched. Tomiris is a malware group that has been active since at least 2019, known for using the backdoor QUIETCANARY. The group has also used Turla malware, indicating a possible cooperation or shared expertise between Tomiris and Turla. A significant development was observed in September 2022 when a Tunnu
2
KOPILUWAK is a possible alias for Tunnussched. KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Turla Threat Actor is associated with Tunnussched. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
2