Turla, a Russian cyberespionage group, has been observed using malware called ANDROMEDA (also known as Gamarue) to deliver its own reconnaissance and backdoor tools to targets in Ukraine.
ANDROMEDA is a variant of a commodity malware that was uploaded to VirusTotal in 2013 and is being tracked by Mandiant under the name UNC4210. The group has been using servers infected with ANDROMEDA to carry out its attacks.
Diving into details
Turla has been using older infections as a way to distribute its malware stealthily. In addition, the group has been exploiting the fact that ANDROMEDA spreads through infected USB keys to help spread its malware.
- This is a new tactic for the group, as it allows the attackers to take advantage of already established infection networks to deliver malware.
- In January 2022, the threat actor re-registered a dormant domain that was previously part of ANDROMEDA's C2 infrastructure.
- The group then used this domain to deliver a JavaScript-based network reconnaissance tool called KOPILUWAK dropper to profile the victim.
- On September 8, 2022, the attack reached its final stage with the execution of a .NET-based implant called QUIETCANARY (also known as Tunnus). This resulted in the exfiltration of files created after January 1, 2021.
Why this matters
Turla has been using advanced tactics, including victim profiling, to tailor its exploitation efforts to target specific information of interest to Russia.
- This is a rare instance of a hacking group being identified as targeting victims of another malware campaign in order to achieve its own goals, while also trying to hide its involvement.
- The Russian cybercrime group has been using expired domains associated with widely-distributed, financially-motivated malware to deliver its own malware to victims.
- This technique allows the group to compromise a wide range of entities and may be difficult for defenders to detect because it involves older malware and infrastructure.
The bottom line
This is the first time Turla has been observed targeting Ukrainian entities since the invasion began. The group's tactics in this campaign are consistent with its usual planning and positioning to gain initial access to victim systems. In the past, Turla has used USBs and conducted extensive victim profiling to achieve its objectives.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock-157637870.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/a7d8_shutterstock_1439856428.jpg)
