A nation-state cyber crew, suspected to be the Russia-tied Turla Team, is distributing the Kopiluwak reconnaissance utility and the QuietCanary backdoor on Ukraine targets via three expired command and control (C2) domains the group re-registered associated with the 10-year-old Andromeda malware.
Mandiant Researchers Track Turla
Mandiant's research team, which tracks Turla as UNC4210, discovered the operation to take control of the domains that were part of the Andromeda defunct C2 infrastructure. Andromeda malware, a former commodity malware program widespread since 2010, is still used to hit a variety of industries. But the Ukraine attacks are unique and “novel” in that it is the only time it has been delivered aimed at the financial sector, Mandiant said.
The particular version whose C2 was hijacked by UNC4210 was first uploaded to the antivirus scanning service VirusTotal in 2013 and spreads from infected USB keys, Mandiant said. The Ukraine attack began in December 2021 with a phishing expedition in which an employee inserted an infected USB drive into a system at a Ukrainian organization and mistakenly clicked on the malicious link, Mandiant said.
According to Mandiant:
"As older Andromeda malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims."
Turla and Andromeda Connected?
There is no relationship between the Turla Team and the group behind Andromeda, Tyler McLellan, senior principal analyst at Mandiant told Dark Reading. "Co-opting the Andromeda domains and using them to deliver malware to Andromeda victims is a new one," he reportedly said. "We've seen threat actors reregister another group's domains, but never observed a group deliver malware to victims of another."
Kopiluwak is a JavaScript-based reconnaissance utility used to profile victims that Mandiant has tracked since 2017, the company said. As in the case with the Ukraine operation, the espionage utility is delivered as a malicious attachment in the first stage of an attack.
As Mandiant wrote:
“This is Mandiant’s first observation of suspected Turla targeting Ukrainian entities since the onset of the invasion. The campaign’s operational tactics appear consistent with Turla’s considerations for planning and advantageous positioning to achieve initial access into victim systems, as the group has leveraged USBs and conducted extensive victim profiling in the past."
Two days after the initial execution of and reconnaissance of the reconnaissance utility, on September 8, 2022, Mandiant detected UNC4210 download QuietCanary to a host twice, but only executing commands through it on the second time. Turla used QuietCanary (aka Tunnus) primarily to gather and exfiltrate data from the victim, the security provider said.
Mandiant shed further light on Turla:
“In this case, the extensive profiling achieved since January possibly allowed the group to select specific victim systems and tailor their follow-on exploitation efforts to gather and exfiltrate information of strategic importance to inform Russian priorities."
