Russian state-sponsored cyber threat actor Turla victimized a Ukrainian organization in a recent attack. The hackers leveraged legacy Andromeda malware that was executed by other hackers via an infected USB drive, Mandiant reports.
Turla is active since at least 2006, however, the group came into light in 2008 as the group was behind the agent.btz, a venomous piece of malware that spread through US Department of Defense systems, gaining widespread access via infected USB drives plugged in by the Pentagon employee who was unaware of the danger.
Also, the group has been historically associated with the use of the ComRAT malware.
After 15 years, the group again came into the spotlight. However, this time the group is trying a new trick that is hijacking the USB infections of other malicious actors to piggyback on their infections to spy on targets.
Legacy Andromeda malware also known as Wauchos or Gamarue which has been active since at least September 2011, is a modular trojan that is capable of checking whether it is being executed or debugged in a virtual environment by using anti-virtual machine techniques.
In the Turla-suspected operation tracked as UNC4210, at least three expired Andromeda command and control (C&C) domains were used for victim profiling, Mandiant discovered.
The attack took place in September 2022, however, the Ukrainian organization was infected with a legacy Andromeda sample in December 2021 via an infected USB drive. A malicious LNK file on the drive was used for malware installations. Also, it downloads other malware from its commanding servers in order to steal information from infected computers. The countries that are most affected by the malware are India (24%), Vietnam (12%), and Iran (7%).
The study on Turla operations has been conducted by Kaspersky, Symantec, and CrySyS Lab in Budapest and they revealed that the threat actors behind the campaign are highly sophisticated in their methods. More than one malicious file is used by the threat actor to accomplish their end goals.
First, a backdoor mostly known as “Wipbot” and “Tavdig” (also known as “WorldCupSec” or “TadjMakhal”) is designed to collect important data. Then it delivered its main module, which has the ability to execute a variety of commands and exfiltrate data on the targeted system.
“As older Andromeda malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims. This novel technique of claiming expired domains used by widely distributed, financially motivated malware can enable follow-on compromises at a wide array of entities,” Mandiant reported.
Furthermore, it says that this is the first suspected Turla attack that has targeted Ukrainian organizations after the Russian invasion.
