Turla is a high profile Russian-speaking threat actor with a known interest in cyberespionage against the government and diplomatic related targets. It has a reputation for being innovative and for its signature KopiLuwak malware, first observed in late 2016. In 2019, Kaspersky researchers uncovered new tools and techniques introduced by the threat actor that increase stealth and help to minimize detection.
KopiLuwak is designed for cyberespionage and Turla’s latest infection process includes techniques that help the malware to avoid detection. For example, the command and control infrastructure has IPs that appear to mimic ordinary LAN addresses. Further, the malware is almost completely ‘fileless’ – the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer’s registry for the malware to access when ready.
The two KopiLuwak analogues – the .NET RocketMan Trojan and the PowerShell MiamiBeach Trojan are also designed for cyberespionage. Researchers believe that these versions are deployed against targets with security software installed that is able to detect KopiLuwak. Upon successful installation, all three versions can – Fingerprint targets, to understand what kind of computer has been infected, gather information on the system and network adapters, steal files, download and execute additional malware and MiamiBeach is also able to take screenshots.