Unc4210

Malware updated 4 months ago (2024-05-04T20:20:19.967Z)

Download STIX

Preview STIX

UNC4210 is a malicious software (malware) discovered by Mandiant in September 2022, suspected to be an operation of the Turla Team. This malware was identified as it re-registered three expired ANDROMEDA command and control (C2) domains and began selectively deploying KOPILUWAK and QUIETCANARY to victims infected with ANDROMEDA, primarily in Ukraine. UNC4210 initially used KOPILUWAK as a "first-stage" profiling utility, marking it as the first custom malware utilized by this suspected Turla Team cluster following ANDROMEDA. On September 6, 2022, after several months of ANDROMEDA beaconing without significant activity, UNC4210 downloaded and executed a WinRAR Self-Extracting Archive (WinRAR SFX) containing KOPILUWAK. Two days later, on September 8, Mandiant detected UNC4210 downloading QUIETCANARY to a host twice, executing commands through it only on the second occasion. UNC4210 then interacted with the QUIETCANARY backdoor, using it for compressing, staging, and exfiltrating data approximately 15 minutes later. The process involved making a GET request to a ClouDNS dynamic DNS subdomain previously used by ANDROMEDA and re-registered by UNC4210. UNC4210 demonstrated advanced capabilities by attempting to collect documents and data using WinRAR. It created multiple password-encrypted archives containing specific file types, notably only exfiltrating files created after January 1, 2021. Through KOPILUWAK, UNC4210 conducted basic network reconnaissance on the victim machine, looking for current TCP connections and network shares. Despite these actions, it remains unclear why UNC4210 conducted such reconnaissance, as the profiling commands are hard-coded in KOPILUWAK and would not yield different sets of data from the same host.

Description last updated: 2024-05-04T19:03:04.018Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
QUIETCANARY	2	Quietcanary is a malicious software (malware) that has been exploited by threat groups such as Pensive Ursa and Tomiris. The malware, known for its backdoor capabilities, has been in use since at least 2019, with Pensive Ursa deploying it against targets in Ukraine in September 2022, often in conjun

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Turla	Unspecified	3	Turla, a threat actor linked to Russia, is known for its sophisticated cyber-espionage activities. It has been associated with numerous high-profile attacks, employing innovative techniques and malware to infiltrate targets and execute actions with malicious intent. According to MITRE ATT&CK and MIT

Source Document References

Information about the Unc4210 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
MITRE	9 months ago	Turla: A Galaxy of Opportunity
InfoSecurity-magazine	10 months ago	Palo Alto Reveals New Features in Russian APT Turla's Kazuar Backdoor
CERT-EU	a year ago	Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker – National Cyber Security Consulting
CERT-EU	a year ago	Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering
CERT-EU	a year ago	Russia’s 'Turla' Group – A Formidable Cyberespionage Adversary