Turla, a known Russian threat actor allegedly tied to the Kremlin, was observed recycling a decade-old and defunct malware to gain access to endpoints in Ukraine and spy on its targets.
A report by cybersecurity experts Mandiant found that in mid-2022, Turla was re-registering expired domains of Andromeda, a common banking trojan that was being widely distributed almost a decade ago – in 2013.
By doing so, the group would take over the malware’s command & control (C2) servers, gaining access to the once-infected endpoints and their sensitive information.
Hiding in plain sight
One of the advantages of this novel approach, the researchers claim, is the ability to stay hidden from cybersecurity researchers.
“Because the malware already proliferated through USB, Turla can leverage that without exposing themselves. Rather than use their own USB tools like agent.btz, they can sit on someone else’s,” says John Hultquist, lead intelligence analyst at Mandiant. “They’re piggybacking on other people’s operations. It’s a really clever way of doing business.”
But what raised the alarms with Mandiant is the fact that Andromeda deployed two additional pieces of malware – a reconnaissance tool named Kopiluwak, and a backdoor named Quietcanary. It was the former that gave it away, as it’s a tool that was used by Turla in the past, as well.
In total, three expired domains were observed to have been re-registered last year, connecting to “hundreds” of Andromeda infections, all giving Turla access to sensitive data. “By doing this you can basically lay under the radar much better. You’re not spamming a bunch of people, you’re letting someone else spam a bunch of people,” says Hultquist. “Then you started picking and choosing which targets are worth your time and your exposure.”
Turla used this novel approach to target endpoints in Ukraine, the researchers said, adding that, so far, this is the only country being attacked.
Via: Wired (opens in new tab)
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba