Russia’s Turla falls back on old malware C2 domains to avoid detection

Organisations that fell victim to Andromeda, a commodity malware that dates back 12 years, seem to be at risk of compromise by the Moscow-backed advanced persistent threat (APT) group tracked variously as UNC2410 or Turla, according to Mandiant, which has observed the group reactivating second-hand command and control (C2) infrastructure in a year-long campaign against Ukrainian targets.

Andromeda is a trojan that performed various functions, most notably the downloading of other malware used to surveil or steal data from victims. As a modular bot, its capabilities could also be expanded if wanted. It was tied to the Andromeda botnet allegedly masterminded by a Belarussian national who was arrested in 2017.

At one time one of the most widespread malwares seen in the wild, it still pops up from time to time, notably in 2021 when it was found lurking on the hard drives of refurbished laptops given to vulnerable children as part of a UK government scheme.

Mandiant said it now has evidence that Turla has been re-registering expired C2 domains used by financially motivated threat groups to distribute Andromeda in the 2010s.

Its use of Andromeda’s C2 infrastructure seems to have started in January 2022, when Turla began to profile new victims by spreading compromised USB keys containing Andromeda in Ukraine, where all known victims of this campaign are located. This would have been ahead of Russia’s invasion in February, and according to Mandiant, this is the first observation of Turla activity linked to the war.

The C2 infrastructure was used to gather basic system information and IP addresses on the victims and help Turla determine whether or not to attack them for real. It then targeted them with a reconnaissance utility called Kopiluwak, after which it deployed the Quietcanary backdoor that stole data including Microsoft Office documents, PDFs, text files and LNK files.

“Removable media remains a powerful if indiscriminate tool for cyber criminals and state actors alike. Turla, which has been linked to the FSB, famously used removable media before in a widespread incident that led to loud, mass proliferation across DoD [US Department of Defence] systems over a decade ago. The proliferation of Agent.BTZ, clearly beyond the intent of the service, led to unprecedented response and exposure of the FSB operations,” said Mandiant’s head of threat intelligence, John Hultquist.

“This incident is familiar, but the new spin is the actors aren’t releasing their own USB malware into the wild. Now, they are taking advantage of another actor’s work by taking over their command and control. By doing so, Turla removes itself from the high-profile dirty work of proliferation but still gets to select victims of interest.

“Accesses obtained by cyber criminals are an increasingly leveraged tool for Russian intelligence services who can buy or steal them for their own purposes,” he added.

Hultquist said that by exploiting old, well-known malware and its infrastructure, Turla’s operation was more likely to be overlooked by defenders who have to spend time triaging a wide variety of alerts.

This is not the first time Turla has been observed exploiting the work of other ne’er-do-wells for its own ends. In early 2020, it emerged that it had been opportunistically hijacking Iranian infrastructure and used implants stolen from Tehran-linked APT34 to target victims.

Further back, it is also thought to have used Chinese-state-attributed malware in a series of attacks in 2012, downloading then uninstalling the malware to divert attention away from its own activities.

Although the Turla operation was focused on Ukraine, Turla’s targeting has encompassed Nato countries in the past. As such, organisations in sectors it is known to have an interest in should be alert. These include, but may not be limited to, military organisations, government departments, academic and research institutions, and publishing and media companies. Targets often have specific interests in scientific and energy research, and diplomatic affairs. A full list of indicators of compromise (IoCs) is available from Mandiant.

Leave a Reply

Your email address will not be published. Required fields are marked *