A hacking group — suspected to be the Russia-linked Turla Workforce — reregistered no less than three previous domains related to the decade-old Andromeda malware, permitting the group to distribute its personal reconnaissance and surveillance instruments to Ukrainian targets.
Cybersecurity agency Mandiant said in a Thursday advisory that Turla Workforce APT, additionally recognized by Mandiant’s designation of UNC4210, took management of three domains that have been a part of Andromeda’s defunct command-and-control (C2) infrastructure to reconnect to the compromised methods. The endgame was to distribute a reconnaissance utility often called Kopiluwak and a backdoor often called QuietCanary.
Andromeda, an off-the-shelf industrial malware program, dates again to no less than 2013 and compromises methods by contaminated USB drives. Submit-compromise, it connects to an inventory of domains, most of which have been taken offline.
There is no such thing as a relationship between the Turla Workforce and the group behind Andromeda, making the co-opting of earlier contaminated methods fairly novel, says Tyler McLellan, senior principal analyst at Mandiant.
“Co-opting the Andromeda domains and utilizing them to ship malware to Andromeda victims is a brand new one,” he says. “We have seen menace actors reregister one other group’s domains, however by no means noticed a bunch ship malware to victims of one other.”
The sluggish unfold of Andromeda permits attackers to wrest management of contaminated methods free of charge.
“As older Andromeda malware continues to unfold from compromised USB units, these re-registered domains pose a threat as new menace actors can take management and ship new malware to victims,” Mandiant said within the advisory. “This novel strategy of claiming expired domains utilized by extensively distributed, financially motivated malware can allow follow-on compromises at a big selection of entities.”
Whereas the hijacking of one other group’s contaminated belongings is rare, it has occurred prior to now, with hackers combating over compromised machines, stealing one another’s methods, or utilizing the identical vulnerability to contaminate a system and overwrite a earlier an infection. Within the early 2000s, for instance, the MyDoom worm contaminated methods however left the compromised computer systems open to additional assault, resulting in a scramble between hackers seeking to enhance their secure of exploited methods.
Right this moment, cybercriminals usually tend to compromise methods after which promote these contaminated machines, or credentials to entry these methods, on underground boards and darkish markets as a part of the preliminary entry dealer subeconomy.
A Slowly Transferring Galaxy of Andromeda Infections
The assault started in December 2021, when an contaminated USB drive was inserted right into a system at a Ukrainian group and an worker inadvertently clicked on the malicious hyperlink. The cyberattack contaminated the system with a model of Andromeda first seen in March 2013 by the antivirus scanning service VirusTotal, Mandiant said.
Mandiant first detected the assault in September 2022. Turla is a Russian-based menace group, however it has focused all kinds of organizations in some 45 nations over practically twenty years, in response to the MITRE ATT&CK web page.
Whereas there isn’t a relationship between Turla and Andromeda, utilizing the Andromeda malware to contaminate different methods has helped preserve the Turla operation below the radar, says Tyler McLellan, senior principal analyst at Mandiant.
“Regardless of Andromeda being previous and unlikely operational at this time, we nonetheless see numerous victims,” he says. “As a person inserts a clear USB into an already contaminated system, that new USB can turn out to be contaminated and proceed the unfold.”
Rigorously Chosen Targets: A Very Particular Risk
The attackers tried to stay as stealthy as attainable by profiling methods to find out probably the most attention-grabbing targets after which solely attacking a handful of these methods. Mandiant solely noticed the Turla-controlled servers energetic for brief durations of time, normally a couple of days, with weeks of downtime, the corporate said.
“Mandiant recognized a number of completely different hosts with beaconing Andromeda stager samples,” the corporate said within the advisory. “Nonetheless, we solely noticed one case through which Turla-related malware was dropped in extra levels, suggesting a excessive degree of specificity in selecting which victims obtained a follow-on payload.”
The Turla Workforce operation underscores the significance of eliminating vectors of assault and responding to incidents, even when they look like low precedence, McLellan says.
“Firms ought to take note of what USB’s are of their setting and discourage workers from utilizing them the place attainable,” he says. “This incident also needs to elevate issues of what longer-term malware infections are in your setting, and will a menace actor co-opt that C2 infrastructure to realize entry.”