KopiLuwak
KopiLuwak is a backdoor Trojan that collects system information for delivery to a remote attacker and provides script-based means of further controlling your PC. Its presence is specific to infections authored by the Turla threat actor, which targets government and media institutions for espionage. Users should avoid traditional phishing e-mail tactics and use dedicated anti-malware utilities for eliminating KopiLuwak safely.
Backdoor Trojans Mixing Up Their Languages
Although KopiLuwak is a years-long and well-analyzed part of the Turla APT's toolkit, new iterations of the Trojan in 2019 are going out of their way for improving the threat's stealth and environmental compatibility. Initially a JavaScript-based threat, KopiLuwak has a relatively restrictive payload that malware experts deem as concentrating on playing out as the first or second stage of an attack that, ultimately, aims at high-level recon and control over the computer. New versions of KopiLuwak appear over time, however, including modern editions that are no longer using JavaScript.
The new versions of KopiLuwak include both .NET Framework and PowerShell variants, all of which seem to have the same, old capabilities as the original, JS one. As part of its default installation routine, KopiLuwak gains system persistence and deploys further attacks for collecting environmental statistics and accepting commands silently.
KopiLuwak transfers various system details to the Turla APT's hackers, which, usually, use compromised websites for their C&C servers that accept this info. After choosing a course of action, they can send KopiLuwak back different commands, using WScript – the GUI for Microsoft's script admin tool. This flexibility lets KopiLuwak download and install other threats, or make additional, unsafe changes to the system's settings or files.
Warding Off Trojans that Have Changed Their Clothes
Ordinarily, the wholesale switch up of a programming language is a massive investment for a Trojan's author. However, the resources available to the Turla APT, in conjunction with the narrow focus of KopiLuwak's payload, make portability simpler than it would be with a more sophisticated Trojan or a less well-funded operation. These changes are, likely, due to the group attempting evasion of known heuristics for old builds of KopiLuwak, which is a noted focus of its long-term development.
Attacks that introduce KopiLuwak may target government networks of interest to the Russian government, as well as some business entities, like news media organizations. Most of these initial infection methods lean on e-mail phishing heavily, which imitates safe content that's written for the victim specifically, such as an industry or organization-specific financial document. Besides scanning new downloads and links, malware experts, especially, warn against enabling macros in suspicious docs or spreadsheets.
There are no symptoms of KopiLuwak infections. Update your anti-malware solutions and run comprehensive system scans for deleting KopiLuwak and any other threats that it may deposit throughout its attacks.
From JavaScript to PowerShell, and more, KopiLuwak is a quiet, yet constantly-evolving threat. Backdoor Trojans with limited deployment circumstances aren't problems for the general public but are an always-relevant danger to any employee working with a vulnerable network.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.