Russia Hacker Group Reportedly Hijacks USB Attacks By Other Threat Actors

Russia hacker group reportedly hijacks USB attacks by other threat actors as Turla was sighted making use of a decade-old infection.

Russia Hacker Group Reportedly Hijacks USB Attacks By Other Threat Actors

Russia Hacker Group Reportedly Hijacks USB Attacks By Other Threat Actors

Turla which is a known Russian threat actor that is allegedly tied to the Kremlin just recently was seen recycling a decade-old and defunct malware in a bid to gain access to endpoints in Ukraine and to then spy on its targets.

A report by cybersecurity experts Mandiant sounds out that in the middle of the previous year, Turla was re-registering expired domains of Andromeda which is a common banking Trojan that was majorly distributed close to a decade ago back in 2013 to be precise.

The group by doing so would then take over the command and control of the servers of the malware, thus gaining access to the endpoints that were once infected and then getting their sensitive information.  One of the many advantages of this novel approach as claimed by the researchers is the ability for it to stay hidden from cybersecurity researchers.

Lead Intelligent Analyst at Mandiant’s Assessment of the Development

“Because the malware already proliferated through USB, Turla can leverage that without exposing themselves. Rather than use their own USB tools like agent.btz, they can sit on someone else’s,” lead intelligent analyst at Mandiant, John Hultquist says. “They’re piggybacking on other people’s operations. It’s a really clever way of doing business.”

However, what raised alarms with Mandiant is the fact that Andromeda used two additional types of malware which are a reconnaissance tool named Kopiluwak as well as a backdoor known as Quietcenary. It was however the former that gave it away as it was also the tool that was used by Turla in the past as well.

Three Expired Domains in Total Were Observed To Have Been Re-Registered In 2022

Three expired domains in total were observed to have been re-registered in the previous year thus connecting to tons of Andromeda infections all giving access to sensitive data. “By doing this you can basically lay under the radar much better. You’re not spamming a bunch of people, you’re letting someone else spam a bunch of people,” states Hultquist. “Then you started picking and choosing which targets are worth your time and your exposure.”

Turla used this novel approach in targeting endpoints in Ukraine according to the researchers adding that so far, this is the only country and region that is being attacked.


Please enter your comment!
Please enter your name here