Turla, a known Russian threat actor allegedly tied to the Kremlin, was observed recycling a decade-old and defunct malware to gain access to endpoints in Ukraine and spy on its targets.
A report by cybersecurity experts Mandiant found that in mid-2022, Turla was re-registering expired domains of Andromeda, a common banking trojan that was being widely distributed almost a decade ago – in 2013.
By doing so, the group would take over the malware’s command & control (C2) servers, gaining access to the once-infected endpoints and their sensitive information.
Hiding in plain sight
One of the advantages of this novel approach, the researchers claim, is the ability to stay hidden from cybersecurity researchers.
“Because the malware already proliferated through USB, Turla can leverage that without exposing themselves. Rather than use their own USB tools like agent.btz, they can sit on someone else’s,” says John Hultquist, lead intelligence analyst at Mandiant. “They’re piggybacking on other people’s operations. It’s a really clever way of doing business.”
But what raised the alarms with Mandiant is the fact that Andromeda deployed two additional pieces of malware – a reconnaissance tool named Kopiluwak, and a backdoor named Quietcanary. It was the former that gave it away, as it’s a tool that was used by Turla in the past, as well.
In total, three expired domains were observed to have been re-registered last year, connecting to “hundreds” of Andromeda infections, all giving Turla access to sensitive data. “By doing this you can basically lay under the radar much better. You’re not spamming a bunch of people, you’re letting someone else spam a bunch of people,” says Hultquist. “Then you started picking and choosing which targets are worth your time and your exposure.”
Turla used this novel approach to target endpoints in Ukraine, the researchers said, adding that, so far, this is the only country being attacked.
- Check out the best firewalls around