Unc4210

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
UNC4210 is a malicious software (malware) discovered by Mandiant in September 2022, suspected to be an operation of the Turla Team. This malware was identified as it re-registered three expired ANDROMEDA command and control (C2) domains and began selectively deploying KOPILUWAK and QUIETCANARY to victims infected with ANDROMEDA, primarily in Ukraine. UNC4210 initially used KOPILUWAK as a "first-stage" profiling utility, marking it as the first custom malware utilized by this suspected Turla Team cluster following ANDROMEDA. On September 6, 2022, after several months of ANDROMEDA beaconing without significant activity, UNC4210 downloaded and executed a WinRAR Self-Extracting Archive (WinRAR SFX) containing KOPILUWAK. Two days later, on September 8, Mandiant detected UNC4210 downloading QUIETCANARY to a host twice, executing commands through it only on the second occasion. UNC4210 then interacted with the QUIETCANARY backdoor, using it for compressing, staging, and exfiltrating data approximately 15 minutes later. The process involved making a GET request to a ClouDNS dynamic DNS subdomain previously used by ANDROMEDA and re-registered by UNC4210. UNC4210 demonstrated advanced capabilities by attempting to collect documents and data using WinRAR. It created multiple password-encrypted archives containing specific file types, notably only exfiltrating files created after January 1, 2021. Through KOPILUWAK, UNC4210 conducted basic network reconnaissance on the victim machine, looking for current TCP connections and network shares. Despite these actions, it remains unclear why UNC4210 conducted such reconnaissance, as the profiling commands are hard-coded in KOPILUWAK and would not yield different sets of data from the same host.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
QUIETCANARY
2
Quietcanary is a malicious software (malware) that has been exploited by threat groups such as Pensive Ursa and Tomiris. The malware, known for its backdoor capabilities, has been in use since at least 2019, with Pensive Ursa deploying it against targets in Ukraine in September 2022, often in conjun
Tunnussched
1
TunnusSched is a malicious software (malware) that has been used by the Advanced Persistent Threat (APT) group known as Tomiris. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is capable of stealing personal information, disrupting operations, and even h
Snake
1
Snake, also known as EKANS, is a significant threat actor that has been active since at least 2004, with its activities potentially dating back to the late 1990s. This group, which may have ties to Iran, targets diplomatic and government organizations as well as private businesses across various reg
Uroburos
1
Uroburos, also known as Snake, Turla, Pensive Ursa, and Venomous Bear, is a sophisticated malware linked to the Russian Federal Security Service (FSB). The development of this malicious software began in late 2003, with its operations traced back to at least 2004. Uroburos is part of a broader arsen
Telemiris
1
Telemiris is a malware identified as a Python backdoor that uses Telegram as a command-and-control (C2) channel. It was originally packed with PyInstaller, but later instances of Nuitka-packaged samples were also identified. Telemiris is primarily used as a first-stage implant by operators to deploy
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Dropper
State Sponso...
Russia
Espionage
Malware
Reconnaissance
WinRAR
t1070.004
t1564.003
t1547.001
T1033
T1049
T1082
T1083
T1518
t1560.001
t1608.003
Windows
Trojan
T1055
T1012
T1057
t1573.002
T1529
T1112
T1584
T1027
T1622
T1010
T1560
Kaspersky
t1071.001
Implant
Backdoor
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ANDROMEDAUnspecified
1
Andromeda is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data ho
KOPILUWAKUnspecified
1
KopiLuwak is a JavaScript-based malware used for command and control (C2) communications and victim profiling. It was initially dropped by Pensive Ursa using an MSIL dropper in a G20-themed attack in 2017, and later as a self-extracting archive (SFX) executable in late 2022. Upon execution, the SFX
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TurlaUnspecified
3
Turla, also known as Pensive Ursa, is a notable threat actor group linked to Russia. This sophisticated hacking team has been active for several years and is known for its advanced persistent threat (APT) activities. Turla's operations are characterized by the use of complex malware and backdoor exp
Pensive UrsaUnspecified
1
Pensive Ursa, also known as Turla, Uroburos, Venomous Bear, and Waterbug, is a Russian-based advanced persistent threat (APT) group that has been operating since at least 2004. The group, linked to the Russian Federal Security Service (FSB), is renowned for its sophisticated cyber-espionage activiti
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Unc4210 KopiluwakUnspecified
1
None
Unc4210 AndromedaUnspecified
1
None
Kopiluwak Md5Unspecified
1
None
Source Document References
Information about the Unc4210 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
7 months ago
Turla: A Galaxy of Opportunity
InfoSecurity-magazine
8 months ago
Palo Alto Reveals New Features in Russian APT Turla's Kazuar Backdoor
CERT-EU
a year ago
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting
CERT-EU
a year ago
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering
CERT-EU
10 months ago
Russia’s 'Turla' Group – A Formidable Cyberespionage Adversary