Related Families: Andromeda, Kopiluwak, QuietCanary
Executive Summary
Mandiant recently reported on a Turla campaign targeting Ukraine. The threat actors used multiple malware families in this campaign, including Kopiluwak, QuietCanary, and Andromeda.
Key Takeaways
- Turla was recently observed targeting entities in Ukraine in a campaign that appears to be motivated by espionage.
- In the campaign, they leveraged Andromeda, Kopiluwak, and QuietCanary.
- The campaign appears to be semi-targeted, with the threat actors screening potential victims prior to infecting them with the intended payload.
Who is Turla?
Turla, also known as Venomous Bear, Snake, Oroburos, Waterbug, Krypton, Hippo Team, Iron Hunter, and Blue Python, is a Russia nexus threat actor group known to target Eastern Bloc nations, as well as other targets worldwide. Turla is believed to be responsible for a 2008 attack on US Central Command. Industry researchers assess Turla is affiliated with the FSB. Turla has seemingly played an active role in the computer network operations aspect of the Russia-Ukraine conflict. In 2022, Turla was observed targeting defense and cybersecurity entities in the Baltic region using malicious documents. Turla also conducted a campaign leveraging malicious Android apps in mid-2022. In the Android campaign, they used a domain spoofing the Ukrainian Azov Regiment. In the more recently reported campaign, Turla used multiple malware families to target entities in Ukraine. The campaign began in late 2021 and stretched until September 2022. Malware families used in the campaign included Kopiluwak, QuietCanary, and Andromeda.
What is Andromeda?
In December 2021, an infected USB device containing several strains of malware was inserted at a Ukrainian organization, leading to an Andromeda infection. Andromeda is a modular backdoor trojan active as early as 2011 and associated with the Andromeda botnet. Andromeda is also known as Gamarue and Wauchos. It is known to target Windows devices. The Andromeda botnet was dismantled in an international takedown operation in late 2017. At its peak, Andromeda was known to distribute at least 80 malware families. It was also used to steal credentials.
The version of Andromeda malware used in the Turla campaign has been around since at least 2013. When dropped, the initial Andromeda binary drops another Andromeda sample to a temp file and adds a Run Registry Key to ensure the malware runs on logon. A C2 previously used by the old Andromeda botnet had expired in the past but was re-registered in January 2022. Turla used the C2 to profile victims to determine which would receive the first-stage Kopiluwak dropper. Based on this information, the campaign appears to have been semi-targeted.
What is Kopiluwak?
Months after the initial Andromeda infection, threat actors downloaded and executed a WinRAR SFX archive containing Kopiluwak. Kopiluwak is a reconnaissance utility written in JavaScript. Threat actors typically use Kopiluwak for victim profiling and C2 communications. It has been in the wild since at least 2017. Kopiluwak attempted to send data to another C2. Turla used Kopiluwak to conduct network reconnaissance with whoami, netstat, arp, and net, seeking TCP connections and network shares.
What is QuietCanary?
Two days after Kopiluwak was used to perform recon, QuietCanary was downloaded to the victim's machine. QuietCanary, also known as Tunnus, is a .NET backdoor used to gather and exfiltrate victim data. QuietCanary can handle commands issued by the C2. It uses hard-coded variables for C2, user agent, and RC4. Turla used QuietCanary to steal data from the target, presumably for espionage purposes.
IOCs
PolySwarm has multiple samples associated with this activity.
6536b6b50aa1f6899ffa90aaf4b1b67c0ae0f6c0441016f5308b37c12141c61d (Kopiluwak)
8d9bb878a18b2b7ef558504e78a59eb644f83a63679658533ff8accf0b85fda3 (Kopiluwak)
9535a9bb1ae8f620d7cbd7d9f5c20336b0fd2c78d1a7d892d76e4652dd8b2be7 (Andromeda)
5f4b0aa22ce65b30fb232421673fad4c126970928207ade256d3bfee33dc3687 (Andromeda)
You can use the following CLI commands to search for all related samples in our portal:
$ polyswarm link list -f Kopiluwak
$ polyswarm link list -f Andromeda
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
