"Russia-Linked Turla APT Sneakily Co-Opts Ancient Andromeda USB Infections"

A hacking gang, believed to be the Russia-linked Turla Team, reregistered at least three domains associated with the decade-old Andromeda malware, enabling the group to deploy its own espionage and surveillance tools on Ukrainian targets. According to the cybersecurity firm Mandiant, the Turla Team Advanced Persistent Threat (APT), also tracked as UNC4210, gained control of three domains that were a part of Andromeda's now defunct command-and-control (C2) infrastructure in order to reconnect to the compromised systems. The objective was to distribute a reconnaissance tool Kopiluwak and the backdoor QuietCanary. Andromeda is a commercially available malware program that dates back to at least 2013 and attacks systems via infected USB devices. It connects to a number of domains, the majority of which have been taken offline. According to Tyler McLellan, a senior principal analyst at Mandiant, there is no connection between the Turla Team and the group responsible for Andromeda, which makes the co-opting of previously compromised devices rather unique. This article continues to discuss the Turla Team APT using C2 servers from the decade-old Andromeda malware to install reconnaissance tools and a backdoor on previously infected systems in order to target Ukrainian victims.

Dark Reading reports "Russia-Linked Turla APT Sneakily Co-Opts Ancient Andromeda USB Infections"