C0026 C0026
C0026 was a campaign identified in September 2022 that included the selective distribution of KOPILUWAK and QUIETCANARY malware to previous ANDROMEDA malware victims in Ukraine through re-registered ANDROMEDA C2 domains. Several tools and tactics used during C0026 were consistent with historic Turla operations.1
| Item | Value |
|---|---|
| ID | C0026 |
| Associated Names | |
| First Seen | August 2022 |
| Last Seen | September 2022 |
| Version | 1.0 |
| Created | 15 May 2023 |
| Last Modified | 29 September 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | For C0026, the threat actors re-registered expired C2 domains previously used for ANDROMEDA malware.1 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | During C0026, the threat actors used WinRAR to collect documents on targeted systems. The threat actors appeared to only exfiltrate files created after January 1, 2021.1 |
| enterprise | T1005 | Data from Local System | During C0026, the threat actors collected documents from compromised hosts.1 |
| enterprise | T1030 | Data Transfer Size Limits | During C0026, the threat actors split encrypted archives containing stolen files and information into 3MB parts prior to exfiltration.1 |
| enterprise | T1568 | Dynamic Resolution | During C0026, the threat actors re-registered a ClouDNS dynamic DNS subdomain which was previously used by ANDROMEDA.1 |
| enterprise | T1105 | Ingress Tool Transfer | During C0026, the threat actors downloaded malicious payloads onto select compromised hosts.1 |
Software
| ID | Name | Description |
|---|---|---|
| S1074 | ANDROMEDA | During C0026, the threat actors re-registered expired ANDROMEDA domains to profile past victims for further targeting.1 |