- Slow Computer
- System crashes
- Normal system programs crash immediatelly
- Connects to the internet without permission
- Installs itself without permissions
- Can't be uninstalled via Control Panel
Topinambour is what cyber criminals use to unlock a door to an operating system. If the attackers find a way to infiltrate this infection, they can use it to download and execute various other infections, making a bigger mess. The attackers belong to the infamous Turla group, which goes by many different names. Some of them include Krypton, Snake, Venomous Bear, Waterbug, or WhiteBear. It is believed that the group comes from Russia, and it is pretty obvious that they are focused on attacking large entities, such as government agencies or international companies. They do not care to waste their time on individual Windows users because they have bigger fish to fry. Amongst the victims of Turla, we have the militaries of the US, Pakistan and India, a gaming company in South Korea, and even diplomatic agencies in Eastern Europe. The worst part is that no one has been able to stop these attacks for over a decade now, and the group continues to grow with new tools. In this report, we talk about the removal of Topinambour. However, note that if you need to delete this threat, it is likely that others exist too.
Before we start discussing the removal of Topinambour, we need to look into the proliferation of this dangerous infection. According to our malware researchers, this infection is likely to employ legitimate and harmless installers to conceal itself, which is, without a doubt, the most clandestine way to spread this infection. The dropper of the Trojan is added to the legitimate installer, and it contains a .NET shell that the attackers can control using remote commands. The corrupted installer could be dropped anywhere on the computer, but it was dropped to the %TEMP% directory in our case. After successful execution, the infection installed itself to %LOCALAPPDATA%\VirtualStore\, and a scheduled task was created to support the file. Soon after that, the infection is meant to start downloading other malware modules, such as the KopiLuwak dropper, which, of course, is responsible for dropping more threats onto the operating system. Overall, although Topinambour appears to be used for the initial attack, it is not enough to delete it from the system. Most likely, many other threats await removal too.
If you are sure that you want to clean your operating system manually, the first thing you need to do is inspect your operating system for additional threats that must be removed too. Only then, will you be able to determine whether or not your chances at successfully cleaning the system are high. Inspecting the system manually is an incredibly difficult task, but you can install a legitimate malware scanner to take care of this part. The tool will determine whether or not you need to delete Topinambour along with other malicious infections. Most likely, you will. What should you do if you cannot remove them all by yourself? If that is the case, installing an anti-malware tool that can handle the situation is the best move. Obviously, since Topinambour is most likely to affect large networks of systems, the type of solution you come up with might depend on your security protocols and the processes applied by your security team. Ultimately, if you discover something strange, do not ignore it because it could always turn out to be a malicious infection in disguise.