KopiLuwak

Description

(Kaspersky) The KopiLuwak script is decoded by macro code very similar to that previously seen with IcedCoffee, but the resulting script is not the final step. This script is executed with a parameter used as a key to RC4 decrypt an additional layer of javascript that contains the system information collection and command and control beaconing functionality. KopiLuwak performs a more comprehensive system and network reconnaissance collection, and like IcedCoffee leaves very little on disk for investigators to discover other than the base script.

Names

Name
KopiLuwak

Type

Reconnaissance
Backdoor

Information

https://securelist.com/shedding-skin-turlas-fresh-faces/88069/
https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/
https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack

Mitre Attack

https://attack.mitre.org/software/S1075

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak

Other Information

Uuid

bf8419b4-0007-4045-bf5f-646e9bfbdc07

Last Card Change

2023-11-30

Threat Intelligence Garden

Explorer

KopiLuwak

KopiLuwak

Description

Names

Category

Type

Information

Mitre Attack

Malpedia

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks