Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

[[correlate]]

Content source

https://thehackernews.com/2023/01/russian-turla-hackers-hijack-decade-old.html?m=1

The Russian cyberespionage group known as Turla has been observed piggybacking on attack infrastructure used by a decade-old malware to deliver its own reconnaissance and backdoor tools to targets in Ukraine.

Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

Russian cyber espionage group Turla has been using decade-old malware attack infrastructure to deliver reconnaissance and backdoor tools to Ukraine.

thehackernews.com

 

[upnorth]

"UNC4210 re-registered at least three expired ANDROMEDA command-and-control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and QUIETCANARY in September 2022," Mandiant researchers said in an analysis published last week.

In July 2022, Google's Threat Analysis Group (TAG) revealed that Turla created a malicious Android app to supposedly "help" pro-Ukrainian hacktivists launch distributed denial-of-service (DDoS) attacks against Russian sites.

The latest discovery from Mandiant shows that Turla has been stealthily co-opting older infections as a malware distribution mechanism, not to mention taking advantage of the fact that ANDROMEDA spreads via infected USB keys. "USB spreading malware continues to be a useful vector to gain initial access into organizations,"

"As older ANDROMEDA malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims," the researchers said. "This novel technique of claiming expired domains used by widely distributed, financially motivated malware can enable follow-on compromises at a wide array of entities. Further, older malware and infrastructure may be more likely to be overlooked by defenders triaging a wide variety of alerts."

Same source as OP shared.