Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

Home/Backdoor, Compromised, Darknet, Data Breach, Exploitation, hackers, Internet Security, IOC's, malicious cyber actors, Malicious extension, Malware/Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

Organisations that fell victim to Andromeda, a commodity malware that dates back 12 years, seem to be at risk of compromise by the Moscow-backed advanced persistent threat (APT) group tracked variously as UNC2410 or Turla, according to Mandiant, which has observed the group reactivating second-hand command and control (C2) infrastructure in a year-long campaign against Ukrainian targets.

Andromeda, an off-the-shelf commercial malware program, dates back to at least 2013 and compromises systems through infected USB drives. Post-compromise, it connects to a list of domains, most of which have been taken offline.

“USB-spreading malware continues to be a useful vector for gaining initial access to an organization,” said the threat intelligence firm.

The threat actor then repurposed one of the dormant domains that were part of ANDROMEDA’s decommissioned C2 infrastructure (which was re-registered in January 2022) and launched a JavaScript-based network reconnaissance utility, the first We delivered a staged KOPILUWAK dropper to profile the victim.

Mandiant researchers first stumbled upon the campaign in September while investigating a breach on an unnamed Ukrainian computer network

How it affects?

Researchers concluded that the hackers re-registered an old domain name in January 2022 and spent a few months combing through infected devices to determine which victims they now had access to.From there, the new hackers installed two new malware strains that Turla Team is known to have used in past campaigns onto selected Ukrainian computers.

Although the Turla operation was focused on Ukraine, Turla’s targeting has encompassed Nato countries in the past. 

IOCS:

bc76bd7b332aa8f6aedbb8e11b7ba9b6 TrustedInstaller.exe
b3657bcfe8240bc0985093a0f8682703 mskmde.com
2eb6df8795f513c324746646b594c019
d8233448a3400c5677708a8500e3b2a0 xpexplore.js
suckmycocklameavindustry[.]in
yelprope.cloudns[.]cl
anam0rph[.]su
212.114.52[.]24
manager.surro[.]am
194.67.209[.]186:443

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!