Threat Research

Turla: A Galaxy of Opportunity

Securonix

Two sentences summarizing the Turla activity described: Turla leveraged USB spread to introduce legacy ANDROMEDA into Ukrainian and other targets, then deployed KOPILUWAK to profile victims and QUIETCANARY to exfiltrate data, with multiple stages delivered via re-registered domains. The campaign shows targeted victim selection, extensive victim profiling, and use of expired domains and WinRAR SFX droppers to enable follow-on payloads. #ANDROMEDA #KOPILUWAK #QUIETCANARY #UNC4210 #Turla

Keypoints

  • USB spread continues to serve as an initial access vector, with a Ukrainian organization infected via a USB containing older malware.
  • ANDROMEDA was used as a first-stage dropper and persisted by writing to C:ProgramDataLocal SettingsTempmskmde.com and by adding a Run Registry Key.
  • A re-registered C2 domain (anam0rph.su) was used and tracked to profile victims before delivering the KOPILUWAK dropper.
  • KOPILUWAK served as a JavaScript-based reconnaissance utility to enable C2 communications and victim profiling, including basic host discovery.
  • WinRAR Self-Extracting Archives delivered KOPILUWAK multiple times (Sept 6–8, 2022) to exfiltrate data to the C2, with large data transfers observed.
  • QUIETCANARY, a lightweight .NET backdoor, was downloaded after profiling and used to compress, stage, and exfiltrate data; its communications are encrypted and encoded.
  • The operation shows Turla adapting its toolkit (ANDROMEDA, KOPILUWAK, QUIETCANARY) in sequence, with indications of haste or operational deficiencies in some stages.

MITRE Techniques

  • [T1091] Replication Through Removable Media – USB spreading malware used to gain initial access into organizations. ‘USB spreading malware continues to be a useful vector to gain initial access into organizations.’
  • [T1055] Process Injection – The ANDROMEDA injected process “wuauclt.exe” made a GET request to the target; this demonstrates process-level manipulation. ‘The ANDROMEDA injected process “wuauclt.exe” made a GET request to “yelprope.cloudns[.]cl” …’
  • [T1112] Modify Registry – Persistence via registry modification. ‘adding a Run Registry Key to execute it every time the system user logged on.’
  • [T1547.001] Registry Run Keys / Startup Folder – Persistence mechanism described above for Run Keys.
  • [T1584] Compromise Infrastructure – Re-registration of C2 domains (anam0rph[.]su) and use of dynamic DNS services (yelprope.cloudns[.]cl). ‘anam0rph[.]su … newly re-registered on 2022-08-12.’
  • [T1560] Archive Collected Data – Data staging/exfiltration via WinRAR archives (win_rec.rar, win_files.rar, win_txt.rar). ‘Creation of “win_files.rar” password (redacted) encrypted archive split in 3MB parts…’
  • [T1560.001] Archive via Utility – Use of WinRAR SFX dropper to package and exfiltrate data (multiple archives).
  • [T1071.001] Web Protocols – C2 communications and data transfers over HTTP/HTTPS. ‘All network communications between QUIETCANARY and the C2 are RC4-encrypted and then Base-64 encoded over HTTPS.’
  • [T1049] System Network Connections Discovery – KOPILUWAK reconnaissance of network connections. ‘basic network reconnaissance on the victim machine with whoami, netstat, arp, and net, looking for all current TCP connections (with PID) and network shares.’
  • [T1057] Process Discovery – Discovery of running processes on the victim machine. ‘list of current running processes on the machine.’
  • [T1082] System Information Discovery – Gathering system information. ‘looking for all current TCP connections (with PID) and network shares. The attackers also checked the logical disks…’
  • [T1083] File and Directory Discovery – Discovery of files and directories. (Referenced in profiling outputs of KOPILUWAK and data collection steps.)

Indicators of Compromise

  • [File hash] ANDROMEDA – bc76bd7b332aa8f6aedbb8e11b7ba9b6 (TrustedInstaller.exe)
  • [Domain] mskmde.com – (ANDROMEDA persistence domain)
  • [File hash] KOPILUWAK WinRAR SFX – 2eb6df8795f513c324746646b594c019
  • [File] xpexplore.js – associated with KOPILUWAK C2 activity
  • [Domain] yelprope.cloudns[.]cl – ANDROMEDA C2 domain used for command/controls
  • [Domain] anam0rph[.]su – re-registered C2 domain used by UNC4210
  • [IP] 212.114.52[.]24 – UNC4210/ANDROMEDA C2 activity
  • [Domain] manager.surro[.]am – C2 server for KOPILUWAK data transfer
  • [IP] 194.67.209[.]186:443 – QUIETCANARY C2 infrastructure

Read more: https://www.mandiant.com/resources/blog/turla-galaxy-opportunity

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint