The Turla APT has revamped its arsenal in 2019, creating new weapons and tools for targeting government entities. It’s now using booby-trapped anti-internet censorship software as an initial infection vector, suggesting Turla is going after dissident or other civil-society targets.
The Russian-speaking actors believed behind Turla named the dropper “Topinambour,” which is another word for the Jerusalem artichoke (a.k.a. the sunchoke). Since January, Topinambour has become the first-stage implantation for Turla campaigns. Once installed, it fetches all the other malware that the group uses to gain access to target networks and exfiltrate information.
“To deliver [the new modules] to targets, the operators use legitimate software installers infected with the Topinambour dropper,” researchers at Kaspersky wrote in a malware analysis on Monday. “These could be tools to circumvent internet censorship, such as Softether VPN 4.12 and psiphon3, or Microsoft Office activators.” The latter are exceptions to the anti-censorship ploys and are used by software pirates to activate the Microsoft Office suite without having to buy the actual product key.
Turla's developers are still using a familiar coding style, but they’re creating new tools. Here we’ll tell you about several of them, namely “Topinambour” and its related modules.