Analysts at Mandiant reported that the Russian-speaking cyber-espionage group Turla seized the control servers of the old Andromeda botnet, closed by the authorities and information security specialists back in 2017. Andromeda’s C&C servers appear to have been used by Turla to scrutinize compromised hosts to find ones suitable for intelligence and espionage operations.
Google-owned Mandiant tracks this Turla operation as UNC4210 Threat Cluster. The researchers write that the servers hijacked by hackers match Andromeda malware samples (also known as Gamarue and Wauchos), which were uploaded to VirusTotal back in 2013.
The researchers explain that Turla members waited until the registration of a number of domains expired and seized part of the old botnet infrastructure, which was liquidated back in 2017. Let me remind you that at that time the botnet was literally closed by the whole world. The joint operation involved the FBI, Interpol, Europol Cyber Unit (EC3), Eurojust, the Joint Cybercrime Task Force (J-CAT), as well as German law enforcement agencies. The private sector, in turn, was represented by specialists from Microsoft, ESET, Registrar of Last Resort, as well as ICANN, FKIE, BSI and many others.
“Back in September 2022, UNC4210 re-registered at least three ANDROMEDA C&C domains after their registration expired and began profiling victims for the selective deployment of KOPILUWAK and QUIETCANARY,” Mandiant experts say.
Thus, Mandiant believes that Turla is using old Andromeda infections as a mechanism to distribute its own malware, and may also take advantage of the fact that Andromeda could be distributed via infected USB drives.
“Malware spreading over USB continues to be a useful vector for gaining initial access to an organization’s networks,” the report notes. “As the old ANDROMEDA malware continues to spread via compromised USB devices, re-registered domains are a danger as new attackers can take control of them and deliver new malware to victims.”
For example, in one incident analyzed by Mandiant analysts, an infected USB drive was used on the machine of an unnamed Ukrainian organization in December 2021. This resulted in an outdated version of Andromeda being deployed on the host when running a malicious link (.LNK) file masquerading as a folder on a USB drive.
Since the attackers used one of the domains seized in January 2022 (which used to be part of the botent infrastructure) to profile victims, the command and control server transferred the KOPILUWAK dropper, a JavaScript utility for network reconnaissance, to this infected machine.
Two days later, on September 8, 2022, the attack entered its final phase with the introduction of the QUIETCANARY malware (also known as Tunnus ), which eventually led to the theft of files from the victim’s system.
“Used by widespread, financially motivated malware, this new technique for hijacking expired domains could provide a secondary compromise to a wide range of organizations. In addition, old malware and its infrastructure may be overlooked by defenders who sort out various warnings, ”the experts warned.
Catch up on more articles here
Follow us on Twitter here