Trojan:VBS/Turla

The KopiLuwak framework, the very core of Trojan:VBS/Turla uses a multilayered VBScript structure that runs entirely in memory after initial delivery. Delivery starts with a dropper, often a WinRAR self-extracting archive, which writes the primary script file to directories such as %AppData%\Local\Microsoft\Windows\ or C:\Windows\Temp. Observed script file names include mailform.js, xpexplore.js, Scr.js, and appidpolicyconverter.js. Despite the .js extension on some samples, the core payload and launch logic are VBScript based. The script then applies to a progressive decryption sequence. The final payload executes through the VBScript eval or launchx function directly in memory.

After activation, the VBScript runs a series of reconnaissance commands through WScript.Shell. It launches systeminfo to retrieve hardware and patch levels, net view to find network shares and adjacent systems, net view /domain to identify domain controllers, and tasklist /v to list running processes including security software. It runs gpresult /z to extract Group Policy settings, netstat -nao to display active connections and process identifiers, ipconfig /all for adapter details, arp -a to locate other active devices on the subnet, net share to list resources shared by the host, and net user /domain to enumerate domain user accounts. It also inventories user directories with dir %systemdrive%\Users*.* and checks the desktop with dir %userprofile%\Desktop. Outbound connectivity is verified through tracert www.google.com. The script writes results to temporary staging files named ~dat.tmp, result2.dat, or ~~.tmp before encryption and exfiltration.

The VBScript builds a unique 16-character identifier based on the hostname and username, then appends a fixed string such as KRMLT0G3PHdYjnEm. This identifier appears in a custom User Agent header for HTTP or HTTPS POST requests to the C2 server. Known C2 domains associated with this activity include manager.surro[.]am, yelprope.cloudns[.]cl, and anam0rph[.]su. The threat actor also compromises legitimate WordPress sites to act as proxies, with examples such as www[.]huluwa[.]uk/wp-content/plugins/.../class-wc-log.php and tresor-rare[.]com[.]hk/wp-content/plugins/.../LogsLoader.php. Associated IP addresses are 194[.]67[.]209[.]186, 94[.]177[.]198[.]94, and 162[.]213[.]195[.]129.

Persistence is established through registry changes. The VBScript adds a value under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, for instance local_update_check pointing to the .vbs or .js file. It may also modify HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell or insert random keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Additional artifacts include the file ~~.tmp in %AppData% that stores system fingerprinting data, and downloaded payloads written to %AppData%\Microsoft\Protect\ with names like D8chd.[ext] and a3q4d.[ext]. The C2 server can command the VBScript to execute arbitrary shell commands, download additional files, upload specific documents, pause operations for a defined period, or uninstall itself to remove forensic evidence.