Russia hacker group hijacks USB attacks by other criminals

By Scott Marlette Last updated Jan 10, 2023

Turla, a known Russian threat actor allegedly tied to the Kremlin, was observed recycling a decade-old and defunct malware to gain access to endpoints in Ukraine and spy on its targets.

A report by cybersecurity experts Mandiant found that in mid-2022, Turla was re-registering expired domains of Andromeda, a common banking trojan that was being widely distributed almost a decade ago – in 2013.

By doing so, the group would take over the malware’s command & control (C2) servers, gaining access to the once-infected endpoints and their sensitive information.

Hiding in plain sight

One of the advantages of this novel approach, the researchers claim, is the ability to stay hidden from cybersecurity researchers.

“Because the malware already proliferated through USB, Turla can leverage that without exposing themselves. Rather than use their own USB tools like agent.btz, they can sit on someone else’s,” says John Hultquist, lead intelligence analyst at Mandiant. “They’re piggybacking on other people’s operations. It’s a really clever way of doing business.”

But what raised the alarms with Mandiant is the fact that Andromeda deployed two additional pieces of malware – a reconnaissance tool named Kopiluwak, and a backdoor named Quietcanary. It was the former that gave it away, as it’s a tool that was used by Turla in the past, as well.

In total, three expired domains were observed to have been re-registered last year, connecting to “hundreds” of Andromeda infections, all giving Turla access to sensitive data. “By doing this you can basically lay under the radar much better. You’re not spamming a bunch of people, you’re letting someone else spam a bunch of people,” says Hultquist. “Then you started picking and choosing which targets are worth your time and your exposure.”

Turla used this novel approach to target endpoints in Ukraine, the researchers said, adding that, so far, this is the only country being attacked.

Via: Wired (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.