Russia-Linked Turla APT Sneakily Co-Opts Ancient Andromeda USB Infections

A hacking group — suspected to be the Russia-linked Turla Team — reregistered at least three old domains associated with the decade-old Andromeda malware, allowing the group to distribute its own reconnaissance and surveillance tools to Ukrainian targets.

Cybersecurity firm Mandiant stated in a Thursday advisory that Turla Team APT, also known by Mandiant’s designation of UNC4210, took control of three domains that were part of Andromeda’s defunct command-and-control (C2) infrastructure to reconnect to the compromised systems. The endgame was to distribute a reconnaissance utility known as Kopiluwak and a backdoor known as QuietCanary.

Andromeda, an off-the-shelf commercial malware program, dates back to at least 2013 and compromises systems through infected USB drives. Post-compromise, it connects to a list of domains, most of which have been taken offline.

There is no relationship between the Turla Team and the group behind Andromeda, making the co-opting of previous infected systems quite novel, says Tyler McLellan, senior principal analyst at Mandiant.

“Co-opting the Andromeda domains and using them to deliver malware to Andromeda victims is a new one,” he says. “We’ve seen threat actors reregister another group’s domains, but never observed a group deliver malware to victims of another.”

The slow spread of Andromeda allows attackers to wrest control of infected systems for free.

“As older Andromeda malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims,” Mandiant stated in the advisory. “This

Read more

Explore the site

More from the blog

Latest News