Russian threat actors have taken advantage of the ongoing conflict against Ukraine to distribute Android malware disguised as an app for pro-Ukrainian attackers to carry out denial-of-service attacks Distributed Services (DDoS) aimed at Russian websites.
Google’s Threat Analysis Team (TAG) attributed this malware to Turla, an advanced persistent threat also known as Krypton, Venomous Bear, Waterbug, and Uroburos and associated with Security Services. Federal Security Service (FSB) of Russia.
“This is the first known case of Turla distributing Android-related malware,” said TAG researcher Billy Leonard. “The apps are not distributed through the Google Play Store, but are hosted on an actor-controlled domain and disseminated via links on third-party messaging services.”
It should be noted that the onslaught of cyberattacks immediately following Russia’s gratuitous invasion of Ukraine prompted the country to form an IT Army to carry out DDoS attacks against Russian websites. . It seems that the goal of the Turla operation is to use this volunteer-run effort to their own benefit.
The decoy app hosted on a domain pretending to be the Azov Regiment, a unit of the Ukrainian National Guard, urges people around the world to resist “Russian aggression” by starting a denial of service attack on web servers belonging to “Russian websites to use their resources.”
Google TAG says the actors drew inspiration from another Android app distributed through a website called “stopwar[.]pro” is also designed to conduct DoS attacks by repeatedly sending requests to target websites.
That said, the actual number of times the malicious Cyber Azov app is installed is very small, with no major impact on Android users.
Additionally, the Sandworm (aka Voodoo Bear) group has been connected to a separate malicious activity group that leverages the Follina vulnerability (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT). to send links pointing to Microsoft Office documents hosted on compromised websites targeting media entities in Ukraine.
UAC-0098, a threat agent that CERT-UA warned last month about the distribution of tax-themed documents featuring the Follina mining behavior, has also been assessed as a former access broker. The initial access was related to the Conti team and was in charge of disseminating the IcedID bank trojan.
Other types of cyber activity include credential phishing attacks carried out by an adversary known as COLDRIVER (aka Callisto) against government and defense officials, politicians , NGOs, think tanks and journalists.
These involve direct emailing, include phishing domains, or contain links to documents stored on Google Drive and Microsoft OneDrive, which in turn contain links to attacker-controlled websites. designed to steal passwords.
The latest developments are yet another sign that Russian threat actors are continuing to show signs of increasing sophistication in their efforts to target in ways that highlight their evolving techniques. .
