The Russian nation-state actor tracked as Secret Blizzard has been observed leveraging malware associated with other threat actors to deploy a known backdoor called Kazuar on target devices located in Ukraine.
The new findings come from the Microsoft threat intelligence team, which said it observed the adversary leveraging the Amadey bot malware to download custom malware onto “specifically selected” systems associated with the Ukrainian military between March and April 2024.
The activity is assessed to be the second time since 2022 that Secret Blizzard, also known as Turla, has latched onto a cybercrime campaign to propagate its own tools in Ukraine.
“Commandeering other threat actors’ access highlights Secret Blizzard’s approach to diversifying its attack vectors,” the company said in a report shared with The Hacker News.
Some of the other known methods employed by the hacking crew include adversary-in-the-middle (AitM) campaigns, strategic web compromises (aka watering hole attacks), and spear-phishing.
Secret Blizzard has a track record of targeting various sectors to facilitate long-term covert access for intelligence collection, but their primary focus is on ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies across the world.
The latest report comes a week after the tech giant, along with Lumen Technologies Black Lotus Labs, revealed Turla’s hijacking of 33 command-and-control (C2) servers of a Pakistan-based hacking group named Storm-0156 to carry out its own operations.
The attacks targeting Ukrainian entities entail commandeering Amadey bots to deploy a backdoor known as Tavdig, which is then used to install an updated version of Kazuar, which was documented by Palo Alto Networks Unit 42 in November 2023.
The cybercriminal activity tied to Amadey, which often includes the execution of the XMRig cryptocurrency miner, is being tracked by Microsoft under the moniker Storm-1919.
It’s believed that Secret Blizzard either used the Amadey malware-as-a-service (MaaS) or accessed the Amadey command-and-control (C2) panels stealthily to download a PowerShell dropper on target devices. The dropper comprises a Base64-encoded Amadey payload that’s appended by a code segment, which calls back to a Turla C2 server.
“The need to encode the PowerShell dropper with a separate C2 URL controlled by Secret Blizzard could indicate that Secret Blizzard was not directly in control of the C2 mechanism used by the Amadey bot,” Microsoft said.
The next phase involves downloading a bespoke reconnaissance tool with an aim to collect details about the victim device and likely check if Microsoft Defender was enabled, ultimately enabling the threat actor to zero in on systems that are of further interest.
At this stage, the attack proceeds to deploy a PowerShell dropper containing the Tavdig backdoor and a legitimate Symantec binary that’s susceptible to DLL side-loading. Tavdig, for its part, is used to conduct additional reconnaissance and launch KazuarV2.
Microsoft said it also detected the threat actor repurposing a PowerShell backdoor tied to a different Russia-based hacking group called Flying Yeti (aka Storm-1837 and UAC-0149) to deploy a PowerShell dropper that embeds Tavdig.
Investigation into how Secret Blizzard gained control of the Storm-1837 backdoor or Amadey bots to download its own tools is presently ongoing, the tech giant noted.
Needless to say, the findings once again highlight the threat actor’s repeated pursuit of footholds provided by other parties, either by purchasing the access or stealing them, to conduct espionage campaigns in a manner that obscures its own presence.
“It is not uncommon for actors to use the same tactics or tools, although we rarely see evidence of them compromising and using other actors’ infrastructure,” Sherrod DeGrippo, director of Threat Intelligence Strategy at Microsoft, told The Hacker News.
“Most state-sponsored threat actors have operational objectives that rely on dedicated or carefully compromised infrastructure to retain the integrity of their operation. This is potentially an effective obfuscation technique to frustrate threat intelligence analysts and make attribution to the correct threat actor more difficult.”
