Openhunting Threat Library

KopiLuwak

KopiLuwak
(Type: Reconnaissance, Backdoor)

(Kaspersky) The KopiLuwak script is decoded by macro code very similar to that previously seen with {{IcedCoffee}}, but the resulting script is not the final step. This script is executed with a parameter used as a key to RC4 decrypt an additional layer of javascript that contains the system information collection and command and control beaconing functionality. KopiLuwak performs a more comprehensive system and network reconnaissance collection, and like IcedCoffee leaves very little on disk for investigators to discover other than the base script.

[News Analysis] Trends:

Total Trend: 8

Trend Per Year
1
2015
3
2017
1
2018
1
2020
2
2023


Trend Per Month
1
2015
1
Feb 2017
1
Aug 2017
1
Oct 2017
1
Oct 2018
1
Feb 2020
1
Jan 2023
1
Apr 2023



[News Analysis] News Mention Another Threat Name:

64 - KopiLuwak12 - Andromeda12 - Ave Maria12 - GoldMax12 - JLORAT12 - Kazuar17 - Meterpreter12 - QUIETCANARY12 - RATel12 - Roopy12 - Telemiris12 - tomiris12 - Topinambour48 - Chrysaor48 - Exodus48 - Dacls48 - VPNFilter48 - DNSRat48 - Griffon48 - More_eggs48 - SQLRat48 - AppleJeus48 - BONDUPDATER53 - Agent.BTZ48 - Anchor48 - AndroMut48 - BOOSTWRITE48 - Brambul48 - Carbanak48 - Cobalt Strike48 - DistTrack48 - DNSpionage48 - Dtrack48 - ELECTRICFISH48 - FlawedAmmyy48 - FlawedGrace48 - Get248 - Grateful POS48 - HOPLIGHT48 - Imminent Monitor RAT48 - jason48 - Joanap48 - KerrDown48 - KEYMARBLE48 - Lambert48 - LightNeuron48 - LoJax48 - MiniDuke48 - PolyglotDuke48 - PowerRatankba48 - Rising Sun48 - SDBbot48 - ServHelper48 - Snatch48 - Stuxnet48 - TinyMet48 - tRat48 - TrickBot48 - Volgmer48 - X-Agent48 - Zebrocy6 - Cobra Carbon System6 - Gazer6 - Mosquito6 - Skipper


[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Tomiris called, they want their Turla malware back

2023-04-24 by Pierre Delcher from Kaspersky Labs

Turla: A Galaxy of Opportunity

2023-01-05 by Sarah Hawley from Mandiant

APT Report 2019

2020-02-13 by Qi Anxin Threat Intelligence Center from Qianxin

Shedding Skin – Turla’s Fresh Faces

2018-10-04 by GReAT from Kaspersky Labs

Analysis of a malicious DOC used by Turla APT group; hunting persistence via PowerShell

2017-10-05 by Angel Alonso-Parrizas from

Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack

2017-08-17 by Darien Huss from Proofpoint

KopiLuwak: A New JavaScript Payload from Turla

2017-02-02 by Brian Bartholomew from Kaspersky Labs

New Pacifier APT Components Point to Russian-Linked Turla Group

2015 by Cristian Istrate from Bitdefender

Basic Information (Credit @etda.or.th)

Tool: KopiLuwak

Names: KopiLuwak

Description: (Kaspersky) The KopiLuwak script is decoded by macro code very similar to that previously seen with {{IcedCoffee}}, but the resulting script is not the final step. This script is executed with a parameter used as a key to RC4 decrypt an additional layer of javascript that contains the system information collection and command and control beaconing functionality. KopiLuwak performs a more comprehensive system and network reconnaissance collection, and like IcedCoffee leaves very little on disk for investigators to discover other than the base script.

Category: Malware

Type: Reconnaissance, Backdoor

Information: https://securelist.com/shedding-skin-turlas-fresh-faces/88069/

Information: https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/

Information: https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak

Last-card-change: 2020-05-13

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact