Tunnussched

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
TunnusSched is a malicious software (malware) that has been used by the Advanced Persistent Threat (APT) group known as Tomiris. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is capable of stealing personal information, disrupting operations, and even holding data for ransom. Our telemetry data indicates that this TunnusSched malware was notably deployed from Tomiris's Telemiris. Furthermore, it appears that TunnusSched shares code similarities with another malware known as Topinambour, specifically in their RC4 implementation, resulting in identical .NET bytecode. The TunnusSched sample leveraged by Tomiris (MD5 B38160FC836AD42F1753A0873C844925) closely resembles the one deployed from KopiLuwak according to Mandiant’s reporting (MD5 403876977DFB4AB2E2C15AD4B29423FF). This has led us to believe, with medium-to-high confidence, that both TunnusSched and KopiLuwak are being utilized by Tomiris. These two malwares are part of the same toolset and have been observed to be deployed together. Interestingly, the shared deployment of KopiLuwak and TunnusSched suggests that more actors could potentially access these malware tools. This raises concerns about the potential widespread use of these harmful programs. In addition, the APT group Tomiris has also been observed deploying these attack tools, which were previously linked to another APT group named Turla. This further underscores the need for robust cybersecurity measures to protect against these sophisticated threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Tomiris
2
Tomiris is a malicious software (malware) group that has been active since before 2019. Known for its use of the QUIETCANARY backdoor, Tomiris has expanded its capabilities and influence within the region, targeting government entities and other high-value targets. The group has shown a particular i
KOPILUWAK
2
KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX
Telemiris
1
Telemiris is a malware identified as a Python backdoor that uses Telegram as a command-and-control (C2) channel. It was originally packed with PyInstaller, but later instances of Nuitka-packaged samples were also identified. Telemiris is primarily used as a first-stage implant by operators to deploy
QUIETCANARY
1
Quietcanary is a malicious software (malware) that has been exploited by threat groups such as Pensive Ursa and Tomiris. The malware, known for its backdoor capabilities, has been in use since at least 2019, with Pensive Ursa deploying it against targets in Ukraine in September 2022, often in conjun
Unc4210
1
UNC4210 is a malicious software (malware) discovered by Mandiant in September 2022, suspected to be an operation of the Turla Team. This malware was identified as it re-registered three expired ANDROMEDA command and control (C2) domains and began selectively deploying KOPILUWAK and QUIETCANARY to vi
Tunnus
1
Tunnus is a type of malware, or malicious software, that has been identified as potentially harmful to computer systems and devices. Identified by the SHA-256 hash 046f11a6c561e46e6bf199ab7f50e74a4d2aaead68cdbd6ce44b37b5b4964758, Tunnus uses the same RC4 implementation as TunnusSched and Topinambour
Topinambour
1
Topinambour is a malicious software (malware) that has been linked to the hacking group Turla, as reported by Kaspersky and Securelist. This malware, identified by SHA-256 29314f3cd73b81eda7bd90c66f659235e6bb900e499c9cc7057d10a9083a0b94, is known for its ability to exploit and damage computers or de
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Kaspersky
Implant
Backdoor
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RocketmanUnspecified
1
RocketMan is a type of malware, short for malicious software, which is designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once it gains access, RocketMan can steal personal information, dis
Tomiris’s TelemirisUnspecified
1
Tomiris's Telemiris is a potent malware that has been discovered to deploy TunnusSched, another malicious software. This harmful program is designed to infiltrate and damage computer systems, often without the user's knowledge. It can infect systems through suspicious downloads, emails, or websites.
ANDROMEDAUnspecified
1
Andromeda is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data ho
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TurlaUnspecified
2
Turla, also known as Pensive Ursa, is a notable threat actor group linked to Russia. This sophisticated hacking team has been active for several years and is known for its advanced persistent threat (APT) activities. Turla's operations are characterized by the use of complex malware and backdoor exp
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Tomiris’s Telemiris Md5Unspecified
1
None
Tunnussched TunnusUnspecified
1
None
Tomiris Md5Unspecified
1
None
Tunnussched QuietcanaryUnspecified
1
None
Topinambour TunnusschedUnspecified
1
None
Source Document References
Information about the Tunnussched Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
InfoSecurity-magazine
a year ago
Tomiris and Turla APT Groups Collaborate to Target Government Entities
CERT-EU
a year ago
Tomiris called, they want their Turla malware back
CERT-EU
a year ago
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering
CERT-EU
a year ago
APT trends report Q1 2023 - GIXtools
CERT-EU
a year ago
Crooks show they don't need ChatGPT to scam victims
CERT-EU
10 months ago
IT threat evolution Q2 2023
CERT-EU
a year ago
Tomoris links to APT behind SolarWinds attack put to rest
CERT-EU
a year ago
Tangled Up: 'Tomiris' APT Uses Turla Malware, Confusing Researchers
CERT-EU
a year ago
APT trends report Q1 2023
CERT-EU
10 months ago
IT threat evolution in Q2 2023 – GIXtools
CERT-EU
a year ago
Tomiris called, they want their Turla malware back - GIXtools
CERT-EU
a year ago
Kaspersky Analyzes Links Between Russian State-Sponsored APTs
CERT-EU
a year ago
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting