KopiLuwak Removal Guide

Do you know what KopiLuwak is?

It is very unlikely that this backdoor would ever reach individual desktop computers at home, but let’s just take some precaution and learn about it beforehand. KopiLuwak is not anything new, but it usually targets government institutions and other legal bodies that may have a lot of important information. Yet, these days, no information is useless, and so it might as well reach regular users, too.

Luckily, it is not complicated to remove KopiLuwak from the infected computer. It is a lot harder to stop the people behind it from infecting you with something else. But let’s just start from the very beginning, shall we?

Security researchers suggest that KopiLuwak is used by the Russian threat group Turla. This group first emerged back in 2014. Ever since then, the actor has been employing multiple types of cyber tools to spy on various government institutions and steal important information. KopiLuwak happens to be one of these backdoors used as a reconnaissance tool. There are several versions of this backdoor, but the point is that all of them more or less function the same. Most of them tend to reach their victims via spear-phishing attacks, and it means that it is possible to avoid getting infected with KopiLuwak.

The documents that carry KopiLuwak often look like official letters from ministries and embassies. These emails come with attached files that look like DOC files, and the filenames also claim that those are legitimate documents the receiver has to open immediately. However, the document actually comes with a macro that the infected user has to enable upon opening the document. The moment you enable that macro, you allow KopiLuwak to enter your system.

Normally, the infection happens in three JavaScript layers, and when the backdoor is finally up and running, the infection stores the victim’s information in encrypted form. Then it establishes a connection with its C2 servers using compromised website servers.

Like most of the backdoors, KopiLuwak can collect information on the infected system, and then transfer that information back to its C2 (which is logical, considering that this program is used as a reconnaissance tool). Also, depending on the configuration, KopiLuwak should also be able to download files from C2 and execute them on the target system.

Overall, security specialists agree that the full scope of the attack cannot be fully assessed because it is very seldom that we can observe how the likes of KopiLuwak behave in the wild. However, it is very important that we maintain safe web browsing habits and employ reliable antispyware programs to protect ourselves from such infections.

To put it simply, if KopiLuwak enters a target system, this infection can profile it, and send the information about the infected machine back to its C2. Then the backdoor can steal more data and download additional payloads. Considering the usual way these infections operate, this backdoor can install more Trojans that will eventually steal sensitive information or spread further into other computers (especially if the infected machine is connected to a big network).

To avoid KopiLuwak and other similar threats, you must avoid opening documents received from unknown senders. If you think that you must open a particular document, you can always scan it with a security tool before doing that. If the document in question is malicious, a security tool will notify you immediately.

Also, if you manage several important accounts, once your system is clean and safe, you should consider changing your passwords. If you cannot come up with strong passwords yourself, you can employ a password generator. Finally, to prevent your important data from getting lost, you should back it up on an external hard drive or a cloud drive.

KopiLuwak drops its files in several locations. We will give you the paths in the removal instructions, so you can remove the files for good. Do not forget to delete the file that launched the infection, too. If you are not sure that you can terminate this backdoor on your own, you can remove it automatically with a reliable antispyware tool. This way, you would also ensure that other unwanted applications get terminated, and your system is safeguarded against other threats.

How to Remove KopiLuwak

  1. Remove the most recent files from Desktop.
  2. Open the Downloads folder and delete the most recent files.
  3. Remove the mailform.js file from the following locations:
    %LOCALAPPDATA%\Microsoft\Windows\
    %LOCALAPPDATA%\Temp
    %USERPROFILE%\Application Data\Microsoft\Windows
  4. Run a full system scan.

In non-techie terms:

KopiLuwak is a system backdoor that cannot do a lot by itself. However, this is a dangerous tool that can be used by malevolent third parties to spy on government organizations, and to infect them with other malware. It is necessary to remove this intruder as soon as possible. If you are having trouble with this backdoor, do not hesitate to leave us a comment. Also, please consider investing in a legitimate security application.