Russia hacker group hijacks USB attacks by other criminals
>
Turla, a well-known Russian threat actor reportedly associated with the Kremlin, was observed recycling decade-old and defunct malware to access endpoints in Ukraine and spy on his targets.
A report by cybersecurity experts Mandiant found that Turla was re-registering expired domains of Andromeda, a common banking trojan that was widely spread almost a decade ago – in 2013 – in mid-2022.
By doing so, the group would take over the malware’s command and control (C2) servers and gain access to the once-infected endpoints and their sensitive information.
Hide in plain sight
One of the benefits of this new approach, the researchers argue, is the ability to remain hidden from cybersecurity researchers.
“Because the malware has already spread via USB, Turla can take advantage of it without exposing itself. Instead of using their own USB tools like agent.btz, they can sit on someone else’s,” said John Hultquist, chief intelligence analyst at Mandiant. “They piggyback on other people’s operations. It is a very smart way of doing business.”
But what raised the alarm with Mandiant is the fact that Andromeda deployed two additional pieces of malware: a reconnaissance tool called Kopiluwak and a backdoor called Quietcanary. It was the first to give it away, as it is a tool used by Turla in the past.
A total of three expired domains were reregistered last year, connecting to “hundreds” of Andromeda infections, all of which allowed Turla to access sensitive data. “In principle, this makes it much easier to stay under the radar. You don’t spam a lot of people, you let someone else spam a lot of people,” says Hultquist. “That’s when you started choosing which goals were worth your time and your exposure.”
Turla used this new approach to target endpoints in Ukraine, the researchers said, adding that it is the only country under attack so far.
Through: Wired (opens in new tab)