Turla, a well-known Russian threat actor with alleged ties to the Kremlin, was observed recycling a decade-old extinct malware to gain access to endpoints in Ukraine and spy on its targets.
A report by cybersecurity experts Mandiant found that by mid-2022, Turla was re-registering expired domains for Andromeda, a common banking Trojan that had been widely distributed nearly a decade ago, in 2013.
In doing so, the group would take over the malware’s command and control (C2) servers, gaining access to the endpoints once infected and their sensitive information.
hidden in plain sight
One of the advantages of this novel approach, the researchers say, is the ability to remain hidden from cybersecurity researchers.
“Because malware has already proliferated via USB, Turla can take advantage of that without exposing itself. Instead of using their own USB tools like agent.btz, they can use someone else’s,” says John Hultquist, Mandiant’s principal intelligence analyst. “They are taking advantage of other people’s operations. It’s a really smart way of doing business.”
But what set alarm bells ringing with Mandiant is the fact that Andromeda deployed two additional pieces of malware: a reconnaissance tool called Kopiluwak and a backdoor called Quietcanary. It was the first one who gave it away as it is a tool that Turla also used in the past.
In all, three expired domains were noted to have re-registered in the past year, connecting to “hundreds” of Andromeda infections, all giving Turla access to sensitive data. “By doing this, you can basically blend in much better. You’re not spamming a bunch of people, you’re letting someone else spam a bunch of people,” says Hultquist. “So you started picking and choosing which goals were worth your time and your exposure.”
Turla used this novel approach to target endpoints in Ukraine, the researchers said, adding that, so far, this is the only country being targeted.
Via: cabling (opens in a new tab)