Hackers From Russia Use Outdated Malware Infrastructure to Install New Backdoors on Turla Platform

Hackers From Russia Use Outdated Malware Infrastructure to Install New Backdoors on Turla Platform

The Russian cyberespionage organization Turla employs a decade-old malware attack infrastructure to deploy its surveillance and backdoor tools to targets in Ukraine. Turla has been detected doing this. According to Google-owned Mandiant, which monitors the operation under the uncategorized cluster identifier UNC4210, the servers were taken over by a variation of a common virus dubbed ANDROMEDA (also known as Gamarue). This malware was posted to VirusTotal in 2013.

“UNC4210 re-registered at least three expired ANDROMEDA command-and-control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and QUIETCANARY in September 2022,” Mandiant researchers said in a recently-published analysis.

The elite nation-state group Turla, also known as Iron Hunter, Uroburos, Krypton, Venomous Bear, and Waterbug, primarily targets governmental, diplomatic, and military institutions using a wide variety of customized malware. The antagonistic group has been connected to several credential phishing and reconnaissance operations targeted at Ukraine companies since Russia’s military intervention in February 2022.

According to Google’s Threat Analysis Group (TAG), Turla allegedly developed a malicious Android app in July 2022 to purportedly “help” pro-Ukrainian hacktivists in launching distributed denial-of-service (DDoS) attacks against Russian websites. The most recent finding from Mandiant demonstrates how Turla has been covertly appropriating prior infections as a malware distribution strategy and profiting on ANDROMEDA’s ability to propagate through infected USB keys.

“USB spreading malware continues to be a useful vector to gain initial access into organizations,” said the threat intelligence firm.

In the incident investigated by Mandiant, a malicious link (.LNK) file disguised as a folder within the USB drive was launched after a compromised USB stick was allegedly inserted at an unnamed Ukrainian organization in December 2021, ultimately leading to the deployment of a legacy ANDROMEDA artifact on the host. The threat actor then used one of the abandoned domains that had been a part of ANDROMEDA’s defunct C2 infrastructure to profile the victim by distributing the first-stage KOPILUWAK dropper, a JavaScript-based network reconnaissance tool. This domain was re-registered in January 2022.

The attack entered its ultimate stage two days later, on September 8, 2022, with the execution of a.NET-based implant known as QUIETCANARY (also known as Tunnus), which led to the exfiltration of files written after January 1, 2021. The tactics used by Turla are consistent with earlier accounts of the organization’s extensive victim profiling initiatives concurrently with the Russo-Ukrainian War, potentially assisting it in tailoring its follow-up exploitation efforts to harvest the information of interest to Russia. It’s also one of the few times a hacker group has been discovered preying on the victims of another malware operation while disguising its true intentions.

According to the researchers, these re-registered domains offer a concern since new threat actors might seize control and disseminate new malware to victims as older ANDROMEDA malware continues to propagate through infected USB devices. This innovative method of widely distributed, financially driven malware claiming expired domains can lead to further hacks at various organizations. Furthermore, defenders triaging a range of warnings may be more likely to miss older malware and infrastructure.

The discoveries also come as Reuters revealed that three nuclear research institutes in the United States were targeted in early 2022 by another state-sponsored threat organization from Russia known as COLDRIVER (aka Callisto or SEABORGIUM). To that purpose, the cyberattacks involved fabricating bogus login sites for the Lawrence Livermore, Argonne, and Brookhaven National Laboratories to dupe nuclear scientists into disclosing their credentials. The strategies are in line with known COLDRIVER activity, which was recently exposed spoofing the login sites of NGOs, think tanks, and institutions of higher learning in the UK and the US, as well as defense and intelligence consultancy firms.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.