Turla, a well-known Russian threat actor allegedly linked to the Kremlin, was spotted recycling a ten-year-old and deceased man malware to gain access to endpoints in Ukraine and spy on their targets.
A report by cybersecurity expert Mandiant revealed that in mid-2022 Turla re-registered expired domains from Andromeda, a widespread banking Trojan that was widely used almost a decade ago – in 2013.
In this way, the group would take over the malware’s Command & Control (C2) servers and gain access to those once infected endpoints and their sensitive information.
Hide in plain sight
One of the benefits of this novel approach, the researchers say, is the ability to hide from cybersecurity researchers.
“Since the malware has already spread via USB, Turla can take advantage of this without exposing itself. Instead of using their own USB tools like agent.btz, they can rely on someone else’s,” says John Hultquist, Lead Intelligence Analyst at Mandiant. “You piggyback on other people’s surgeries. It’s a really smart way of doing business.”
What is alarming about Mandiant, however, is the fact that Andromeda has installed two additional pieces of malware – a reconnaissance tool called Kopiluwak and a backdoor called Quietcanary. The former gave it away as it is a tool also used by Turla in the past.
Overall, three expired domains were observed to be re-registered in the past year, which were linked to “hundreds” of Andromeda infections, giving Turla access to sensitive data. “It’s basically a lot better to stay under the radar. You don’t spam a lot of people, you let someone else spam a lot of people,” says Hultquist. “Then you started picking and choosing which targets are worth your time and your exposure.”
Turla used this novel approach to attack endpoints in Ukraine, the researchers said, adding that so far it is the only country under attack.
Above: Wired (opens in new tab)
