A new malicious infection created by the Turla group called Topinambour is out in the wild. It is not a stand-alone infection. On the contrary, the attackers are using it to get in the door, so to speak. That means that once this infection is in and established, it can invite many others. Needless to say, this infection is incredibly dangerous because it could be used to execute other malware-droppers, Trojans, keyloggers, and many other kinds of infections. At the moment, this dangerous threat is not attacking isolated Windows users. Instead, it appears to have been created to attack governments and companies. What is the purpose of that? The attackers could have many different reasons to attack different targets, and the attacks are likely to be personalized in every case. Ultimately, if deleting Topinambour is necessary, depending on the attack, a bunch of other threats might have to be deleted at the same time. It is easiest to determine which threats must be eliminated with the help of a legitimate malware scanner.
Topinambour uses a very sophisticated attack to enter targeted systems. Instead of concealing itself or tricking victims into executing it by accident, it injects itself into legitimate files of attractive programs. For example, an attractive VPN tool or a license activation tool could be exploited. Once the file is downloaded and opened, the Trojan’s dropper is executed silently, and then it can download Topinambour itself. It was found that JavaScript, .NET and PowerShell versions exist, and while differences are apparent (for example, only the PowerShell version is supposed to record screenshots on the infected computers), they are supposed to perform in the same ways. We do not know where the exploited file could be dropped, but it is likely that the Trojan will be executed in a different location to ensure that it does not get detected and removed right away. For example, the exploited file could be dropped to %TEMP%, while the Trojan could be executed in %LOCALAPPDATA%. The infection should create a unique folder, and the file is likely to have a random name.
Once in place, Topinambour can start downloading and executing malicious files. This is how the devious KopiLuwak dropper could be executed as well. At the same time, it should start leaking sensitive data. Whether it does that by capturing and sending screenshots or using some other method, it can be extremely dangerous. Ultimately, Topinambour alone can cause great dangers, but with additional threats installed by it, the Turla attackers can gain great power. They could potentially crash systems, steal sensitive, confidential data, ruin reputation, and exploit integrated privileges to blackmail and terrorize third parties using the disguise of the organization under attack. Undoubtedly, this malware is extremely dangerous, and so its removal must be handled as soon as possible. The issue is that while cleaning the systems and deleting existing infections might be relatively easy, fixing the issues caused by malware and restoring original order might be difficult or maybe even impossible.
Managing the removal of Topinambour manually is incredibly difficult, and, therefore, not recommended. Even if the Trojan is eliminated successfully using the instructions below, there are quite a few other threats that could have been dropped onto your operating system by it. Unfortunately, identifying and removing everything manually might be too time-consuming. With threats like Topinambour, there is no time to waste, and so we advise using anti-malware software. It will automatically detect and eliminate every single piece of malware there is, and you will not need to worry about it further. All in all, erasing the infection appears to be the easy part. The difficult part is managing the damage that the malware might cause. If, for example, highly sensitive government information is leaked, damage might be irreversible. In general, coping with the mess created by this infection is likely to be much more harrowing than the removal processes.