Russia’s Turla falls back on old malware C2 domains to avoid detection

Organisations that fell sufferer to Andromeda, a commodity malware that dates back 12 years, appear to be susceptible to compromise by the Moscow-backed superior persistent risk (APT) group tracked variously as UNC2410 or Turla, in accordance to Mandiant, which has noticed the group reactivating second-hand command and management (C2) infrastructure in a year-long marketing campaign towards Ukrainian targets.

Andromeda is a trojan that carried out varied features, most notably the downloading of different malware used to surveil or steal knowledge from victims. As a modular bot, its capabilities is also expanded if wished. It was tied to the Andromeda botnet allegedly masterminded by a Belarussian nationwide who was arrested in 2017.

At one time one of the vital widespread malwares seen within the wild, it nonetheless pops up from time to time, notably in 2021 when it was discovered lurking on the laborious drives of refurbished laptops given to weak youngsters as a part of a UK authorities scheme.

Mandiant mentioned it now has proof that Turla has been re-registering expired C2 domains utilized by financially motivated risk teams to distribute Andromeda within the 2010s.

Its use of Andromeda’s C2 infrastructure appears to have began in January 2022, when Turla started to profile new victims by spreading compromised USB keys containing Andromeda in Ukraine, the place all identified victims of this marketing campaign are positioned. This would have been forward of Russia’s invasion in February, and in accordance to Mandiant, that is the primary statement of Turla exercise linked to the conflict.

The C2 infrastructure was used to collect primary system info and IP addresses on the victims and assist Turla decide whether or not or not to assault them for actual. It then focused them with a reconnaissance utility known as Kopiluwak, after which it deployed the Quietcanary backdoor that stole knowledge together with Microsoft Office paperwork, PDFs, textual content information and LNK information.

“Removable media remains a powerful if indiscriminate tool for cyber criminals and state actors alike. Turla, which has been linked to the FSB, famously used removable media before in a widespread incident that led to loud, mass proliferation across DoD [US Department of Defence] systems over a decade ago. The proliferation of Agent.BTZ, clearly beyond the intent of the service, led to unprecedented response and exposure of the FSB operations,” mentioned Mandiant’s head of risk intelligence, John Hultquist.

“This incident is acquainted, however the brand new spin is the actors aren’t releasing their very own USB malware into the wild. Now, they’re benefiting from one other actor’s work by taking up their command and management. By doing so, Turla removes itself from the high-profile soiled work of proliferation however nonetheless will get to choose victims of curiosity.

“Accesses obtained by cyber criminals are an increasingly leveraged tool for Russian intelligence services who can buy or steal them for their own purposes,” he added.

Hultquist mentioned that by exploiting old, well-known malware and its infrastructure, Turla’s operation was extra doubtless to be neglected by defenders who’ve to spend time triaging all kinds of alerts.

This is just not the primary time Turla has been noticed exploiting the work of different ne’er-do-wells for its personal ends. In early 2020, it emerged that it had been opportunistically hijacking Iranian infrastructure and used implants stolen from Tehran-linked APT34 to goal victims.

Further back, it is usually thought to have used Chinese-state-attributed malware in a sequence of assaults in 2012, downloading then uninstalling the malware to divert consideration away from its personal actions.

Although the Turla operation was targeted on Ukraine, Turla’s concentrating on has encompassed Nato nations up to now. As such, organisations in sectors it’s identified to have an curiosity in ought to be alert. These embody, however is probably not restricted to, army organisations, authorities departments, educational and analysis establishments, and publishing and media corporations. Targets usually have particular pursuits in scientific and vitality analysis, and diplomatic affairs. A full record of indicators of compromise (IoCs) is available from Mandiant.