Turla Hackers Deliver Andomeda Malware
The Russian state-sponsored hacking group known as Turla has been identified as using Andromeda malware to attack Ukrainian organisations. Mandiant has detailed the attack in a recent report, stating that the attack was conducted in September 2022.
The malware is typically deployed by hackers using an infected USB drive and is frequently used for malware delivery and credential theft.
Turla has been active since at least 2006 and is also referred to as Venomous Bear, Krypton, Snake, Wauchos or Gamarue, Andromeda has been active since at least September 2011, capturing infected machines into a botnet.
“USB spreading malware continues to be a useful vector to gain initial access into organisations. In this incident, a USB infected with several strains of older malware was inserted at a Ukrainian organisation in December 2021... When the system's user double clicked a malicious link file (LNK) disguised as a folder within the USB drive, a legacy Andromeda sample was automatically installed and began to beacon out,” says the Mandiant report.
The Turla hacking group has also deployed the ComRAT malware in the past but has since added more tactics and techniques and their sue of the Andromeda malware that first emerged in 2011.
Mandiant said that it was analysing an operation suspected to be the work of Turla when it identified expired Andromeda command and control domains leveraged by the group for victim profiling purposes. Although the attack occurred last autumn, it is likely that the legacy Andromeda sample was delivered in December 2021 via an infected USB drive.
Mandiant: Axios: Oodaloop: Security Week: Wired: Hacker News:
You Might Also Read:
Russian Government Hacking Groups Often Work Alone:
___________________________________________________________________________________________
If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquires: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible