Organisations that fell victim to Andromeda, a commodity malware that dates back 12 years, seem to be at risk of compromise by the Moscow-backed advanced persistent threat (APT) group tracked variously as UNC2410 or Turla, according to Mandiant, which has observed the group reactivating second-hand command and control (C2) infrastructure in a year-long campaign against Ukrainian targets.
Andromeda, an off-the-shelf commercial malware program, dates back to at least 2013 and compromises systems through infected USB drives. Post-compromise, it connects to a list of domains, most of which have been taken offline.
“USB-spreading malware continues to be a useful vector for gaining initial access to an organization,” said the threat intelligence firm.
Mandiant researchers first stumbled upon the campaign in September while investigating a breach on an unnamed Ukrainian computer network
How it affects?
Researchers concluded that the hackers re-registered an old domain name in January 2022 and spent a few months combing through infected devices to determine which victims they now had access to.From there, the new hackers installed two new malware strains that Turla Team is known to have used in past campaigns onto selected Ukrainian computers.
Although the Turla operation was focused on Ukraine, Turla’s targeting has encompassed Nato countries in the past.