Malware, Threat Intelligence

Turla attacks against Ukraine involve other cybercrime groups’ tools

Flags of Russia and Ukraine. No war. Peace. Relationship between Ukraine and Russia.
(Image credit: opolja via Getty)

Russian state-backed advanced persistent threat operation Turla — also known as Secret Blizzard, Snake, Waterbug, and Venomous Bear — has been discovered to be using other cybercrime groups' tools and infrastructure to target Ukrainian military personnel just after it was identified to have leveraged a Pakistani threat group's payloads to compromise South Asian organizations, Ars Technica reports.

After tapping Russian threat operation Storm-1837's backdoor to facilitate Tavdig loader compromise in January, Turla proceeded to leverage Storm-1919's Amadey botnet to distribute the XMRig cryptominer between March and April, according to an analysis from the Microsoft Threat Intelligence team. Turla "has been using footholds from third parties—either by surreptitiously stealing or purchasing access—as a specific and deliberate method to establish footholds of espionage value. Nevertheless, Microsoft assesses that while this approach has some benefits that could lead more threat adversaries to use it, it is of less use against hardened networks, where good endpoint and network defenses enable the detection of activities of multiple threat adversaries for remediation," said the report.

Related

More advanced Zloader malware variant emerges

Aside from exploiting a domain generation algorithm and conducting environment checks to prevent execution on other systems, the newly discovered Zloader variant has also been spread through the GhostSocks payload as part of an updated attack chain, a report from Zscaler ThreatLabz showed.

Southeast Asia subjected to suspected Chinese cyberespionage campaign

Attacks involved the exploitation of open-source and living-off-the-land tactics previously associated with Chinese advanced persistent threat groups, including the Rakshasa and Stowaway reverse proxy programs, the PlugX remote access trojan, and custom DLL files enabling login credential exfiltration, according to an analysis from the Symantec Threat Hunter Team.

Related Events

