{"id":594989,"date":"2023-01-07T05:49:31","date_gmt":"2023-01-07T11:49:31","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/01\/07\/russias-turla-falls-back-on-old-malware-c2-domains-to-avoid-detection\/"},"modified":"2023-01-07T05:49:31","modified_gmt":"2023-01-07T11:49:31","slug":"russias-turla-falls-back-on-old-malware-c2-domains-to-avoid-detection","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/01\/07\/russias-turla-falls-back-on-old-malware-c2-domains-to-avoid-detection\/","title":{"rendered":"Russia\u2019s Turla falls back on old malware C2 domains to avoid detection"},"content":{"rendered":"<div>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.computerweekly.com\/visuals\/German\/article\/malware-2-adobe_searchsitetablet_520X173.jpg\" data-credit=\"valerybrozhinsky - stock.adobe.c\"  width=\"520\" height=\"173\" alt><\/p>\n<p>valerybrozhinsky &#8211; stock.adobe.c<\/p>\n<\/p><\/div>\n<div id=\"content-header\">\n<h2>Mandiant says it has observed the Russian APT UNC2410, also known as Turla, re-registering expired or sinkholed domains previously used by financially motivated cyber criminals<\/h2>\n<\/div>\n<div id=\"content-center\">\n<ul>\n<li><i data-icon=\"1\"><\/i><\/li>\n<li><i data-icon=\"2\"><\/i><\/li>\n<\/ul>\n<div id=\"contributors-block\">\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"Alex Scroxton\">\n\t\t\t\t\t<\/p>\n<p><span>By<\/span><\/p>\n<ul>\n<li>\n\t\t\t\t\t<a href=\"https:\/\/www.techtarget.com\/contributor\/Alex-Scroxton\">Alex Scroxton,<\/a><br \/>\n\t\t\t\t\t\t<span>Security Editor<\/span>\n\t\t\t\t\t\t<\/li>\n<\/ul>\n<p>\n\tPublished: <span>06 Jan 2023 14:17<\/span>\n<\/p>\n<\/div>\n<section id=\"content-body\">\n<p>Organisations that fell victim to <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/ANDROMEDA\">Andromeda<\/a>, a commodity malware that dates back 12 years, seem to be at risk of compromise by the Moscow-backed advanced persistent threat (APT) group tracked variously as <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252507062\/Turla-deploying-secondary-backdoor-in-state-sponsored-attacks\">UNC2410 or Turla<\/a>, according to Mandiant, which has observed the group reactivating second-hand command and control (C2) infrastructure in a year-long campaign against Ukrainian targets.<\/p>\n<p>Andromeda is a trojan that performed various functions, most notably the downloading of other malware used to surveil or steal data from victims. As a modular bot, its capabilities could also be expanded if wanted. It was tied to the Andromeda botnet allegedly <a href=\"https:\/\/www.computerweekly.com\/news\/450431390\/Andromeda-mastermind-Sergey-Jarets-jailed-say-security-researchers\">masterminded by a Belarussian national<\/a> who was arrested in 2017.<\/p>\n<p>At one time one of the most widespread malwares seen in the wild, it still pops up from time to time, notably in 2021 when it was found lurking on the hard drives of refurbished laptops <a href=\"https:\/\/www.computerweekly.com\/news\/252495174\/Gamarue-malware-found-on-government-issued-school-laptops\">given to vulnerable children<\/a> as part of a UK government scheme.<\/p>\n<p>Mandiant said it now has evidence that Turla has been re-registering expired C2 domains used by financially motivated threat groups to distribute Andromeda in the 2010s.<\/p>\n<p>Its use of Andromeda\u2019s C2 infrastructure seems to have started in January 2022, when Turla began to profile new victims by spreading compromised USB keys containing Andromeda in Ukraine, where all known victims of this campaign are located. This would have been ahead of Russia\u2019s invasion in February, and according to Mandiant, this is the first observation of Turla activity linked to the war.<\/p>\n<p>The C2 infrastructure was used to gather basic system information and IP addresses on the victims and help Turla determine whether or not to attack them for real. It then targeted them with a reconnaissance utility called Kopiluwak, after which it deployed the Quietcanary backdoor that stole data including Microsoft Office documents, PDFs, text files and LNK files.<\/p>\n<p>\u201cRemovable media remains a powerful if indiscriminate tool for cyber criminals and state actors alike. Turla, which has been linked to the FSB, famously used removable media before in a widespread incident that led to loud, mass proliferation across DoD [US Department of Defence] systems over a decade ago. The proliferation of Agent.BTZ, clearly beyond the intent of the service, led to unprecedented response and exposure of the FSB operations,\u201d said Mandiant\u2019s head of threat intelligence, John Hultquist.<\/p>\n<p>\u201cThis incident is familiar, but the new spin is the actors aren\u2019t releasing their own USB malware into the wild. Now, they are taking advantage of another actor\u2019s work by taking over their command and control. By doing so, Turla removes itself from the high-profile dirty work of proliferation but still gets to select victims of interest.<\/p>\n<p>\u201cAccesses obtained by cyber criminals are an increasingly leveraged tool for Russian intelligence services who can buy or steal them for their own purposes,\u201d he added.<\/p>\n<p>Hultquist said that by exploiting old, well-known malware and its infrastructure, Turla\u2019s operation was more likely to be overlooked by defenders who have to spend time triaging a wide variety of alerts.<\/p>\n<p>This is not the first time Turla has been observed exploiting the work of other ne\u2019er-do-wells for its own ends. In early 2020, it emerged that it had been <a href=\"https:\/\/www.computerweekly.com\/news\/252479984\/Turlas-use-of-Iranian-infrastructure-probably-opportunistic\">opportunistically hijacking Iranian infrastructure<\/a> and used implants stolen from Tehran-linked APT34 to target victims.<\/p>\n<p>Further back, it is also thought to have used Chinese-state-attributed malware in a series of attacks in 2012, downloading then uninstalling the malware to divert attention away from its own activities.<\/p>\n<p>Although the Turla operation was focused on Ukraine, Turla\u2019s targeting has encompassed Nato countries in the past. As such, organisations in sectors it is known to have an interest in should be alert. These include, but may not be limited to, military organisations, government departments, academic and research institutions, and publishing and media companies. Targets often have specific interests in scientific and energy research, and diplomatic affairs. A full list of indicators of compromise (IoCs) <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/turla-galaxy-opportunity\">is available from Mandiant<\/a>.<\/p>\n<\/section>\n<section id=\"DigDeeperSplash\">\n<h4>\n\t\t\t<i data-icon=\"m\"><\/i>Read more on Hackers and cybercrime prevention<\/h4>\n<ul>\n<li><a id=\"DigDeeperItem-1\" href=\"https:\/\/www.computerweekly.com\/news\/252526535\/Cuba-ransomware-cartel-spoofs-Ukraine-armed-forces\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/ransomware-attack-computer-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/ransomware-attack-computer-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/ransomware-attack-computer-adobe.jpg 1280w\" alt ><\/p>\n<h5>Cuba ransomware cartel spoofs Ukraine armed forces<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-2\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252525539\/Mandiant-spots-new-malware-targeting-VMware-ESXi-hypervisors\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/security_a385093447_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/security_a385093447_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/security_a385093447.jpg 1280w\" alt ><\/p>\n<h5>Mandiant spots new malware targeting VMware ESXi hypervisors<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineImages\/wright_robert.jpg\" alt=\"RobWright\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Rob\u00a0Wright<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-3\" href=\"https:\/\/www.computerweekly.com\/news\/252524710\/Chinese-APT-using-PlugX-malware-on-espionage-targets\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/cyber-security-malware-spam-fotolia_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/cyber-security-malware-spam-fotolia_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/cyber-security-malware-spam-fotolia.jpg 1280w\" alt ><\/p>\n<h5>Chinese APT using PlugX malware on espionage targets<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-4\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252516622\/Cyberespionage-group-exploiting-network-and-IoT-blind-spots\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g817486228_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g817486228_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g817486228.jpg 1280w\" alt ><\/p>\n<h5>Cyberespionage group exploiting network and IoT blind spots<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/nicholas_shaun.jpg\" alt=\"ShaunNichols\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Shaun\u00a0Nichols<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<\/ul>\n<\/section>\n<\/div>\n<p><a href=\"https:\/\/www.computerweekly.com\/news\/252528934\/Russias-Turla-falls-back-on-old-malware-C2-domains-to-avoid-detection\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Nancie Drews<\/p>\n","protected":false},"excerpt":{"rendered":"<p>valerybrozhinsky &#8211; stock.adobe.c Mandiant says it has observed the Russian APT UNC2410, also known as Turla, re-registering expired or sinkholed domains previously used by financially motivated cyber criminals By Alex Scroxton, Security Editor Published: 06 Jan 2023 14:17 Organisations that fell victim to Andromeda, a commodity malware that dates back 12 years, seem to be<\/p>\n","protected":false},"author":1,"featured_media":594990,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3669,46,117691],"tags":[],"class_list":{"0":"post-594989","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-russias","8":"category-technology","9":"category-turla"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/594989","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=594989"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/594989\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/594990"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=594989"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=594989"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=594989"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}