Security News > 2023 > January > Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

The Russian cyberespionage group known as Turla has been observed piggybacking on attack infrastructure used by a decade-old malware to deliver its own reconnaissance and backdoor tools to targets in Ukraine.

Google-owned Mandiant, which is tracking the operation under the uncategorized cluster moniker UNC4210, said the hijacked servers correspond to a variant of a commodity malware called ANDROMEDA that was uploaded to VirusTotal in 2013.

The latest discovery from Mandiant shows that Turla has been stealthily co-opting older infections as a malware distribution mechanism, not to mention taking advantage of the fact that ANDROMEDA spreads via infected USB keys.

"USB spreading malware continues to be a useful vector to gain initial access into organizations," the threat intelligence firm said.

"As older ANDROMEDA malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims," the researchers said.

"This novel technique of claiming expired domains used by widely distributed, financially motivated malware can enable follow-on compromises at a wide array of entities. Further, older malware and infrastructure may be more likely to be overlooked by defenders triaging a wide variety of alerts."

News URL

https://thehackernews.com/2023/01/russian-turla-hackers-hijack-decade-old.html