With USB-spreading malware becoming a popular vector for initial access, cyber defenders remain vigilant in safeguarding the organization’s critical infrastructure. Cybersecurity researchers have recently observed malicious activity of the russia-linked cyberespionage group tracked as Turla APT leveraging legacy Andromeda USB-delivered malware to deploy novel backdoors and custom reconnaissance tools in cyber attacks against Ukraine.
With the growing attack volumes targeting Ukraine and its allies as part of russia’s offensive operations on the cyber frontline, defenders are joining forces to thwart the aggressor’s attacks. To help organizations timely identify the malicious activity of the russia-backed cyberespionage Turla group, SOC Prime Platform curates a set of relevant Sigma rules mapped to MITRE ATT&CK®. Follow the links below to gain instant access to the newly released Sigma rules written by our Threat Bounty developers, Aykut Gurses and Zaw Min Htun (ZETA), which detect the latest Turla attacks targeting Ukraine as part of the UNC4210 adversary campaign:
This Sigma rule developed by Aykut Gurses detects malicious files created by the .NET-based QUIETCANARY backdoor used to collect and leak data from compromised users. The rule is compatible with 20 SIEM, EDR, and XDR technologies and addresses the Command and Control tactic with Encrypted Channel (T1573) used as its primary technique.
This Sigma rule written by Zaw Min Htun (ZETA) detects attempts of the Turla group to collect data via WinRAR as part of the infamous UNC4210 malicious operation. This detection can be used across the industry-leading SIEM, EDR, XDR, and data lake solutions, like Snowflake, and addresses the Execution tactic with the corresponding User Execution (T1204) technique.
Join our Threat Bounty Program to enrich your Sigma and ATT&CK expertise by contributing your own detection code and gaining an opportunity to monetize your professional skills.
Being on the frontline of the global cyber war, SOC Prime is continuously enriching the detection stack with Sigma rules against any TTPs used by russia-affiliated groups to help Ukraine and its allies defend themselves from russian aggression. By following the links below, security engineers can access the list of dedicated behavior-based Sigma rules related to the UNC4210 Turla operation:
Click the Explore Detections button to drill down to the comprehensive list of Sigma rules enriched with relevant CTI, MITRE ATT&CK references, and other useful metadata to detect existing and emerging attacks by the Turla threat actors:
Since the outbreak of the global cyber war after russia’s full-scale invasion of Ukraine, cyber defenders are overwhelmed by the volume of destructive attacks launched by the aggressor’s state-sponsored groups targeting Ukraine and its allies. The russia-affiliated Turla cyberespionage group, also known under the monikers Iron Hunter, Krypton, Uroburos, or Venomous Bear, primarily targets government, diplomatic, and military organizations by applying multiple reconnaissance utilities and custom malware strains. Since February 2022, Turla has been affiliated with cyberespionage campaigns against Ukraine, largely focused on reconnaissance efforts and exploiting the phishing attack vector to steal credentials and other sensitive data.
Although the UNC4210 campaign was launched in September 2022, the targeted Ukrainian organization was infected with older Andromeda malware strains dating back to December 2021 and leveraging a compromised USB drive. Cybersecurity researchers unveiled that in this UNC4210 campaign, threat actors applied at least three expired Andromeda C2 domains to deploy the abovementioned payloads. According to Mandiant’s research, USB-delivered malware remains a popular initial access vector. Moreover, re-registered domains pose a significant risk to infected users enabling threat actors to expand their scope of attacks by spreading more malware strains and compromising a broader number of organizations.
Looking for ways to proactively defend against russia-affiliated cyber attacks while donating to aid Ukraine? Gain access to 500+ Sigma rules against russian state-backed APTs along with 50 curated detection algorithms of your choice with our charity-based #Sigma2SaveLives subscription. Learn more at https://my.socprime.com/pricing/.