A dropper called “Topinambour” is the first-stage implant, which in turn fetches a spy trojan built in several coding languages.
The Turla APT has revamped its arsenal in 2019, creating new weapons and tools for targeting government entities. It’s now using booby-trapped anti-internet censorship software as an initial infection vector, suggesting Turla is going after dissident or other civil-society targets.
The Russian-speaking actors believed behind Turla named the dropper “Topinambour,” which is another word for the Jerusalem artichoke (a.k.a. the sunchoke). Since January, Topinambour has become the first-stage implantation for Turla campaigns. Once installed, it fetches all the other malware that the group uses to gain access to target networks and exfiltrate information.