KopiLuwak Removal Guide

Government institutions in the Middle East, Asia, Europe, North America, and South America need to beware of KopiLuwak, a dangerous backdoor Trojan that could help cyber criminals steal sensitive information and cause serious security issues of a wide scale. While Windows users outside the government systems are unlikely to be affected by this malware, if we know one thing about malicious infections, it is that they are not always predictable. For all we know, once the threat slithers into a computer used by the government, it could be used to spread spam emails containing malware to all of us. Ultimately, nothing good could come out of malware, and you need to keep it away at all cost. If it has invaded your operating system already, you need to remove it fast. If you continue reading this report, you will learn how to delete KopiLuwak, but keep in mind that if this malware was found, other threats are likely to be active too, and your personal data might have been leaked already.

Turla is the group of attackers who appear to be responsible for KopiLuwak. They appear to be using this malicious backdoor along with the ICEDCOFFEE JavaScript payload, and, once inside the targeted system, it should download Trojans and, potentially, other malicious threats too. The attackers behind this malware appear to be relying on spam emails to trick the targets into opening corrupted attachments. These attachments are most likely to look like .doc files, but, in reality, they conceal malware, and so opening them is a terrible idea. The problem is that most people are completely careless when it comes to the emails they open and interact with. Remember that even your friends’ or colleagues’ accounts could be hijacked to send you misleading emails, and so you must never let your guard down. If you are careless and you open the fictitious .doc attachment, and then you enable macros as instructed, the infection is executed on your system without you even knowing about it. KopiLuwak is dropped as “mailform.js” to the %LOCALAPPDATA%\Microsoft\Windows\, %LOCALAPPDATA%\Temp\, or %USERPROFILE%\Application Data\Microsoft\Windows\ folder.

KopiLuwak is an infection that makes it easier for cyber attackers to perform in various malicious ways. A backdoor on its own cannot be too helpful, unless it contains modules that allow it to record sensitive information or, for example, disable/delete security tools. It does not look like this backdoor is capable of doing that. Most likely, its primary task is to drop additional threats. This is a big power, and cyber criminals will exploit it to achieve their goals, which are most likely to include recording private data and hijacking systems and accounts for further malware distribution. At the end of the day, KopiLuwak is most likely to be a cyber espionage instrument, as it is primarily targeted at government institutions. Could the targets change? Absolutely, but that is something that we will need to keep an eye on in the future. Right now, this Trojan attacks governments, and they are the ones responsible for securing their private data.

Macros must be disabled at all times, and you should not enable it whenever someone asks you to. In many cases, ransomware and Trojans that spread via spam email request this, and if targets were more careful, the numbers of infected systems would decrease. Unfortunately, people continue to be careless, despite the known risks and available information. If you do not know if you can protect your system against malware effectively, you should install software that will do it for you. A reliable anti-malware program will automatically remove KopiLuwak and all other threats that pose a risk. Hopefully, you will not need to deal with new infections in the future. However, depending on the additional threats found on your operating system, you might need to take other steps too. Ultimately, it is most important that you do not ignore the situation; otherwise, you could get into more trouble.

How to delete KopiLuwak

1. Delete recently downloaded .doc files.
2. Launch Windows Explorer by tapping keys Win+E.
3. Enter the following locations into the quick access field one by one to find and Delete the mailform.jsfile:
   • %LOCALAPPDATA%\Microsoft\Windows\
   • %LOCALAPPDATA%\Temp\
   • %USERPROFILE%\Application Data\Microsoft\Windows\
4. Empty Recycle Bin and then immediately perform a full system scan (use a legitimate malware scanner).