Russia-Linked Turla APT Sneakily Co-Opts Ancient Andromeda USB Infections

Using command-and-control servers from the decade-old Andromeda malware, the group is installing reconnaissance tools and a backdoor on previously infected systems to target Ukrainian victims.

4 Min Read
russia ukraine turla andromeda malware
Source: Daniren via Alamy Stock Photo

A hacking group — suspected to be the Russia-linked Turla Team — reregistered at least three old domains associated with the decade-old Andromeda malware, allowing the group to distribute its own reconnaissance and surveillance tools to Ukrainian targets.

Cybersecurity firm Mandiant stated in a Thursday advisory that Turla Team APT, also known by Mandiant's designation of UNC4210, took control of three domains that were part of Andromeda's defunct command-and-control (C2) infrastructure to reconnect to the compromised systems. The endgame was to distribute a reconnaissance utility known as Kopiluwak and a backdoor known as QuietCanary.

Andromeda, an off-the-shelf commercial malware program, dates back to at least 2013 and compromises systems through infected USB drives. Post-compromise, it connects to a list of domains, most of which have been taken offline.

There is no relationship between the Turla Team and the group behind Andromeda, making the co-opting of previous infected systems quite novel, says Tyler McLellan, senior principal analyst at Mandiant.

"Co-opting the Andromeda domains and using them to deliver malware to Andromeda victims is a new one," he says. "We've seen threat actors reregister another group's domains, but never observed a group deliver malware to victims of another."

The slow spread of Andromeda allows attackers to wrest control of infected systems for free.

"As older Andromeda malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims," Mandiant stated in the advisory. "This novel technique of claiming expired domains used by widely distributed, financially motivated malware can enable follow-on compromises at a wide array of entities."

While the hijacking of another group's infected assets is uncommon, it has happened in the past, with hackers fighting over compromised machines, stealing each other's systems, or using the same vulnerability to infect a system and overwrite a previous infection. In the early 2000s, for example, the MyDoom worm infected systems but left the compromised computers open to further attack, leading to a scramble between hackers looking to increase their stable of exploited systems.

Today, cybercriminals are more likely to compromise systems and then sell those infected machines, or credentials to access those systems, on underground forums and dark markets as part of the initial access broker subeconomy.

A Slowly Moving Galaxy of Andromeda Infections

The attack began in December 2021, when an infected USB drive was inserted into a system at a Ukrainian organization and an employee inadvertently clicked on the malicious link. The cyberattack infected the system with a version of Andromeda first seen in March 2013 by the antivirus scanning service VirusTotal, Mandiant stated.

Mandiant first detected the attack in September 2022. Turla is a Russian-based threat group, but it has targeted a wide variety of organizations in some 45 countries over nearly two decades, according to the MITRE ATT&CK page.

While there is no relationship between Turla and Andromeda, using the Andromeda malware to infect other systems has helped keep the Turla operation under the radar, says Tyler McLellan, senior principal analyst at Mandiant.

"Despite Andromeda being old and not likely operational today, we still see a lot of victims," he says. "As a user inserts a clean USB into an already infected system, that new USB can become infected and continue the spread."

Carefully Selected Targets: A Very Specific Threat

The attackers attempted to remain as stealthy as possible by profiling systems to determine the most interesting targets and then only attacking a handful of those systems. Mandiant only observed the Turla-controlled servers active for short periods of time, usually a few days, with weeks of downtime, the company stated.

"Mandiant identified several different hosts with beaconing Andromeda stager samples," the company stated in the advisory. "However, we only observed one case in which Turla-related malware was dropped in additional stages, suggesting a high level of specificity in choosing which victims received a follow-on payload."

The Turla Team operation underscores the importance of eliminating vectors of attack and responding to incidents, even if they appear to be low priority, McLellan says.

"Companies should pay attention to what USB's are in their environment and discourage employees from using them where possible," he says. "This incident should also raise concerns of what longer-term malware infections are in your environment, and could a threat actor co-opt that C2 infrastructure to gain access."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights