Turla Activity Detection: russian Cyberespionage Group Targeting Ukraine Uses Decade-Old USB-Delivered Andromeda Malware to Spread Novel Backdoors

russia-Backed Turla Group on the Rise

With USB-spreading malware becoming a popular vector for initial access, cyber defenders remain vigilant in safeguarding the organization’s critical infrastructure. Cybersecurity researchers have recently observed malicious activity of the russia-linked cyberespionage group tracked as Turla APT leveraging legacy Andromeda USB-delivered malware to deploy novel backdoors and custom reconnaissance tools in cyber attacks against Ukraine.

Detecting Turla (UNC4210) Operation: KopiLuwak and QUIETCANARY Delivered via Decade-Old AndromedŠ° Infrastructure

With the growing attack volumes targeting Ukraine and its allies as part of russiaā€™s offensive operations on the cyber frontline, defenders are joining forces to thwart the aggressorā€™s attacks. To help organizations timely identify the malicious activity of the russia-backed cyberespionage Turla group, SOC Prime Platform curates a set of relevant Sigma rules mapped to MITRE ATT&CKĀ®. Follow the links below to gain instant access to the newly released Sigma rules written by our Threat Bounty developers, Aykut Gurses and Zaw Min Htun (ZETA), which detect the latest Turla attacks targeting Ukraine as part of the UNC4210 adversary campaign:

Detection of Possible Malicious Files Generated by the QUIETCANARY Backdoor (via file_event)

This Sigma rule developed by Aykut Gurses detects malicious files created by the .NET-based QUIETCANARY backdoor used to collect and leak data from compromised users. The rule is compatible with 20 SIEM, EDR, and XDR technologies and addresses the Command and Control tactic with Encrypted Channel (T1573) used as its primary technique.

Possible Execution of UNC4210 activity By Detection of Associated cmd Line (via process_creation)

This Sigma rule written by Zaw Min Htun (ZETA) detects attempts of the Turla group to collect data via WinRAR as part of the infamous UNC4210 malicious operation. This detection can be used across the industry-leading SIEM, EDR, XDR, and data lake solutions, like Snowflake, and addresses the Execution tactic with the corresponding User Execution (T1204) technique.

Join our Threat Bounty Program to enrich your Sigma and ATT&CK expertise by contributing your own detection code and gaining an opportunity to monetize your professional skills. 

Being on the frontline of the global cyber war, SOC Prime is continuously enriching the detection stack with Sigma rules against any TTPs used by russia-affiliated groups to help Ukraine and its allies defend themselves from russian aggression. By following the links below, security engineers can access the list of dedicated behavior-based Sigma rules related to the UNC4210 Turla operation:

Possible Data Compression for Exfiltration (via cmdline)

Compression Utility Passed Uncommon Directory (via cmdline)

Possible System Network Configuration Discovery (via cmdline)

Possible Code Execution via the Wuauclt.exe (via cmdline)

LOLBAS Wscript (via process_creation)

Possible Account or Group Enumeration (via cmdline)

Click the Explore Detections button to drill down to the comprehensive list of Sigma rules enriched with relevant CTI, MITRE ATT&CK references, and other useful metadata to detect existing and emerging attacks by the Turla threat actors:

Explore Detections

Turla Group Operation aka UNC4210 Targeting Ukraine: Attack Analysis

Since the outbreak of the global cyber war after russiaā€™s full-scale invasion of Ukraine, cyber defenders are overwhelmed by the volume of destructive attacks launched by the aggressorā€™s state-sponsored groups targeting Ukraine and its allies. The russia-affiliated Turla cyberespionage group, also known under the monikers Iron Hunter, Krypton, Uroburos, or Venomous Bear, primarily targets government, diplomatic, and military organizations by applying multiple reconnaissance utilities and custom malware strains. Since February 2022, Turla has been affiliated with cyberespionage campaigns against Ukraine, largely focused on reconnaissance efforts and exploiting the phishing attack vector to steal credentials and other sensitive data.

In early autumn 2022, Mandiant researchers uncovered a malicious operation by Turla APT known as UNC4210, in which threat actors were leveraging the legacy Andromeda malware (aka Gamarue) to deploy the KopiLuwak reconnaissance tool and the .NET-based backdoor dubbed QUIETCANARY mainly used for data exfiltration. Notably, two years earlier, in 2019, the Turla group applied the JavaScript-based KopiLuwak trojan in their cyberespionage campaigns targeting government entities.

Although the UNC4210 campaign was launched in September 2022, the targeted Ukrainian organization was infected with older Andromeda malware strains dating back to December 2021 and leveraging a compromised USB drive. Cybersecurity researchers unveiled that in this UNC4210 campaign, threat actors applied at least three expired Andromeda C2 domains to deploy the abovementioned payloads. According to Mandiantā€™s research, USB-delivered malware remains a popular initial access vector. Moreover, re-registered domains pose a significant risk to infected users enabling threat actors to expand their scope of attacks by spreading more malware strains and compromising a broader number of organizations.

Looking for ways to proactively defend against russia-affiliated cyber attacks while donating to aid Ukraine? Gain access to 500+ Sigma rules against russian state-backed APTs along with 50 curated detection algorithms of your choice with our charity-based #Sigma2SaveLives subscription. Learn more at https://my.socprime.com/pricing/.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts