Posted on January 9, 2023 at 7:17 AM

Russian Turla hackers use a decade-old malware infrastructure to execute backdoors

Turla, a cyber-espionage group based in Russia, has been using attack infrastructure contained in a decade-old malware. The hackers have been using the infrastructure to deploy reconnaissance and backdoor that targets people in Ukraine.

Russian Turla hackers piggybacking on decade-old malware infrastructure

Google’s Mandiant detected the operations of this threat actor group. Mandiant is tracking the activity under the cluster moniker UNC4210. The report said that the hijacked servers were the same ones used by a version of a commodity malware known as ANDROMEDA or Gamarue. The malware was uploaded on VirusTotal in 2013.

The Mandiant researchers further said that the hackers had registered around three ANDROMEDA command-and-control domains that had already expired. They later profiled the victims to deploy QUIETCANARY and KOPILUWAK in September last year.

Turla is one of the largest threat actor groups in Russia. The group also goes by other names, such as Waterbug, Krypton, Iron Hunter, Venomous Bear, and Uroburos. The espionage group uses several custom malware to target governments, diplomats, and military organizations.

Since Russia invaded Ukraine in February last year, there has been a rise in the number of phishing campaigns and reconnaissance efforts targeting institutions in the country. Another hacking activity involving the Turla hacking group was detected in July last year. Google’s Threat Analysis Group noted that the group had created a malicious Android app. The app promoted itself as purportedly enabling Ukrainian hackers to launch distributed denial-of-service attacks targeting Russian websites.

The recent report by Mandiant researchers shows that the Turla hacking group has been using older infections to distribute malware. The research group also took advantage of how the ANDROMEDA malware is spread through infected USB keys. The threat intelligence firm noted that “USB spreading malware continues to be a useful vector to gain initial access into organizations.”

The hacking activity that Mandiant researchers detected also showed that the hackers used an infected USD stick. The USB stick was inserted at an organization in Ukraine in December 2021. This resulted in deploying a legacy ANDROMEDA artifact on the host after launching a malicious link file. The file was hidden in a folder on the USB drive.

After the .LNK file was launched, the hackers changed the purpose of one of the formant domains contained within the ANDROMEDA C2 infrastructure. The domain was registered afresh in January 2022 and was used to profile the target by launching the first-stage KOPUILUWAK dropper. The latter is a network reconnaissance utility that is coded in JavaScript.

On September 8, 2022, the attack progressed to the last phase, where QUIETCANARY, a .NET-based implant known as Tunnus, was executed. This resulted in the files created after January 1, 2021, being exfiltrated

Turla’s hacking activity comes amid earlier reports of how the hacking group was engaging in victim profiling efforts amid the ongoing Russia-Ukraine war. This allowed the group to customize its hacking campaigns and collect valuable information for Russia.

The hacking activity is also unique as it is rare when a threat actor group targets victims of another malware campaign to meet its objectives while hiding its motives. The researchers noted that the older versions of the ANDROMEDA malware were still being spread using compromised USD devices. Once the domains were registered afresh, they posed a risk to new threat actors who could control them and deploy malware to victims.

“This novel technique of claiming expired domains used by widely distributed, financially motivated malware can enable follow-on compromises at a wide array of entities. Further, older malware and infrastructure may be more likely to be overlooked by defenders triaging a wide variety of alerts,” the researchers said.

Russian state-sponsored hacker targets US nuclear research labs

The report comes after Reuters revealed that COLDRIVER, a state-sponsored hacking group in Russia also known as SEABORGIUM or Callisto, had targeted three nuclear research labs within the United States early last year.

The exploit involved creating fake login pages for Argonne, Brookhaven, and Lawrence National Laboratories to trick the nuclear scientists into sharing their passwords.

The matter in which the attack was conducted mirrors the activity of the COLDRIVER hacking group. The group was also recently exposed for spoofing the login pages of consulting companies in defense and intelligence. The group has also targeted think tanks, NGOs, and high education institutions.