Unc4210

Malware updated 7 months ago (2024-05-04T20:20:19.967Z)
Download STIX
Preview STIX
UNC4210 is a malicious software (malware) discovered by Mandiant in September 2022, suspected to be an operation of the Turla Team. This malware was identified as it re-registered three expired ANDROMEDA command and control (C2) domains and began selectively deploying KOPILUWAK and QUIETCANARY to victims infected with ANDROMEDA, primarily in Ukraine. UNC4210 initially used KOPILUWAK as a "first-stage" profiling utility, marking it as the first custom malware utilized by this suspected Turla Team cluster following ANDROMEDA. On September 6, 2022, after several months of ANDROMEDA beaconing without significant activity, UNC4210 downloaded and executed a WinRAR Self-Extracting Archive (WinRAR SFX) containing KOPILUWAK. Two days later, on September 8, Mandiant detected UNC4210 downloading QUIETCANARY to a host twice, executing commands through it only on the second occasion. UNC4210 then interacted with the QUIETCANARY backdoor, using it for compressing, staging, and exfiltrating data approximately 15 minutes later. The process involved making a GET request to a ClouDNS dynamic DNS subdomain previously used by ANDROMEDA and re-registered by UNC4210. UNC4210 demonstrated advanced capabilities by attempting to collect documents and data using WinRAR. It created multiple password-encrypted archives containing specific file types, notably only exfiltrating files created after January 1, 2021. Through KOPILUWAK, UNC4210 conducted basic network reconnaissance on the victim machine, looking for current TCP connections and network shares. Despite these actions, it remains unclear why UNC4210 conducted such reconnaissance, as the profiling commands are hard-coded in KOPILUWAK and would not yield different sets of data from the same host.
Description last updated: 2024-05-04T19:03:04.018Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
QUIETCANARY is a possible alias for Unc4210. Quietcanary is a malicious software (malware) that has been exploited by threat groups such as Pensive Ursa and Tomiris. The malware, known for its backdoor capabilities, has been in use since at least 2019, with Pensive Ursa deploying it against targets in Ukraine in September 2022, often in conjun
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Turla Threat Actor is associated with Unc4210. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
3
Source Document References
Information about the Unc4210 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more