Connect with us

Hi, what are you looking for?



Russian Turla Cyberspies Leveraged Other Hackers’ USB-Delivered Malware

In a recent attack against a Ukrainian organization, Russian state-sponsored threat actor Turla leveraged legacy Andromeda malware likely deployed by other hackers via an infected USB drive, Mandiant reports.

In a recent attack against a Ukrainian organization, Russian state-sponsored threat actor Turla leveraged legacy Andromeda malware likely deployed by other hackers via an infected USB drive, Mandiant reports.

Active since at least 2006 and linked to the Russian government, the cyberespionage group is also tracked as Snake, Venomous Bear, Krypton, and Waterbug, and has been historically associated with the use of the ComRAT malware.

Also known as Wauchos or Gamarue, Andromeda has been active since at least September 2011, ensnaring infected machines into a botnet that was disrupted in December 2017. The widely used threat was mainly leveraged for credential theft and malware delivery.

While analyzing a Turla-suspected operation tracked as UNC4210, Mandiant discovered that at least three expired Andromeda command and control (C&C) domains have been reregistered and used for victim profiling.

The attack was conducted in September 2022, but the victim Ukrainian organization was infected with a legacy Andromeda sample in December 2021 via an infected USB drive. A malicious LNK file on the drive was used for malware execution.

Immediately after infection, the Andromeda sample established persistence by adding a registry key to be executed each time the user logged in, and started beaconing out. The infection was likely performed by a different threat actor, but Turla took advantage of the malware for reconnaissance.

In January 2022, an old, expired Andromeda C&C domain was reregistered. UNC4210 used the domain to profile victims and then delivered the Kopiluwak dropper to those deemed interesting.

Advertisement. Scroll to continue reading.

Although beaconing Andromeda stager samples were identified on multiple hosts, Turla-related malware was deployed in a single case, “suggesting a high level of specificity in choosing which victims received a follow-on payload”.

The Kopiluwak JavaScript-based reconnaissance utility was deployed on the victim’s system on September 6. According to Mandiant, the same self-extracting archive containing the malware was executed several times on the target system between September 6 and 8.

On September 8, the threat actor deployed the Quietcanary .NET backdoor, which is also known as Tunnus, and which is used for data harvesting and exfiltration. UNC4210 used the backdoor to collect, archive, and exfiltrate data from the victim system.

The investigation also revealed that other known Andromeda domains had been reregistered. According to Mandiant, at least three such domains appear to be used by UNC4210.

“As older Andromeda malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims. This novel technique of claiming expired domains used by widely distributed, financially motivated malware can enable follow-on compromises at a wide array of entities,” Mandiant notes.

The cyberthreat intelligence firm says this is the first suspected Turla attack targeting Ukraine that it has observed since the Russian invasion of the country started. The tactics are consistent with known Turla activity, although some other elements represent a departure from historical Turla operations.

“Both Kopiluwak and Quietcanary were downloaded in succession at various times, which may suggest the group was operating with haste or less concern for operational security, experiencing some aspect of operational deficiency, or using automated tools,” Mandiant concludes.

Related: New Android Spyware Uses Turla-Linked Infrastructure

Related: Turla’s Updated ComRAT Malware Uses Gmail for C&C Communication

Related: Turla Uses Sophisticated Backdoor to Hijack Exchange Mail Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.