silversurfer

Level 50
Verified
Trusted
Content Creator
Malware Hunter
The Turla APT has revamped its arsenal in 2019, creating new weapons and tools for targeting government entities. It’s now using booby-trapped anti-internet censorship software as an initial infection vector, suggesting Turla is going after dissident or other civil-society targets.

The Russian-speaking actors believed behind Turla named the dropper “Topinambour,” which is another word for the Jerusalem artichoke (a.k.a. the sunchoke). Since January, Topinambour has become the first-stage implantation for Turla campaigns. Once installed, it fetches all the other malware that the group uses to gain access to target networks and exfiltrate information.

“To deliver [the new modules] to targets, the operators use legitimate software installers infected with the Topinambour dropper,” researchers at Kaspersky wrote in a malware analysis on Monday. “These could be tools to circumvent internet censorship, such as Softether VPN 4.12 and psiphon3, or Microsoft Office activators.” The latter are exceptions to the anti-censorship ploys and are used by software pirates to activate the Microsoft Office suite without having to buy the actual product key.