Turla cyberespionage group used old malware for latest attacks

January 21, 2023
Turla Cyberespionage Threat Group Old Malware Cyberattacks

The Russian-based Turla cyberespionage group was seen by researchers utilising a decade-old malware called ANDROMEDA to deliver its backdoor and surveillance tools to Ukrainian targets.

Researchers revealed that ANDROMEDA is a variant of a commodity malware strain exposed nearly a decade ago. However, the Russian group has been using ANDROMEDA-infected servers to execute their attacks.

 

The Turla cyberespionage group has been recently using older infections to bypass security.

 

According to investigations, the Turla cyberespionage group has exploited ANDROMEDA’s distribution through compromised USB keys to spread its malware and bypass security solutions.

This method is a new strategy for the group since it enables their operators to abuse the already established infection to disseminate malware.

The group registered a dormant domain previously linked to ANDROMEDA’s command-and-control infrastructure in January last year. Subsequently, the group utilised the domain to deliver a JavaScript-based network retrieving tool dubbed KOPILUWAK dropper to identify the victim.

The attack reached its last stage by initiating a [.]net-based attachment called QUIETCANARAY in September previous year. This attack resulted in the exfiltration of files.

This Russian-speaking threat group has been using advanced tactics, such as victim profiling, to modify its exploitation method depending on the specific information needed by Russia. Furthermore, this is an unusual strategy of a hacking group being identified as targeting the victim of another malware operation to attain its motives.

It is also not common for malicious threat actors to use expired domains linked with other entities or incredibly financially motivated campaigns to deliver their backdoor to victims.

Unfortunately, this strategy could allow the threat group to compromise various targets. It may be challenging for security defenders to spot since it involves older malware and infrastructure.

This problem is the first incident where the Turla group attacked a Ukrainian entity since the start of the geopolitical conflict between Russia and Ukraine. Experts explained that the group’s methods in this cybercriminal operation are consistent with its usual planning and execution to obtain initial access to the targeted system.

About the author

Leave a Reply