Pierluigi Paganini
December 12, 2024
The Russia-linked APT group Secret Blizzard (aka Turla, Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) was spotted using the Amadey malware to deploy the KazuarV2 backdoor on devices in Ukraine.
Microsoft also assesses that in January 2024, Secret Blizzard used the backdoor of Storm-1837, a Russia-based threat actor, to download the Tavdig and KazuarV2 backdoors on a target device in Ukraine.
— Microsoft Threat Intelligence (@MsftSecIntel) December 11, 2024
The experts observed threat actors using the Amadey bot malware between March and April 2024. Microsoft highlights that the bot is linked to cybercrime activities and was used by attackers to infiltrate devices used by the Ukrainian military.
Storm-1919 often deploys XMRIG cryptocurrency miners via Amadey bots, used globally in 2024. According to Microsoft, Secret Blizzard group either leveraged Amadey as a service or accessed its C2 panels to deliver a PowerShell dropper containing encoded Amadey payloads and links to their C2 servers.
This operation marked at least the second instance since 2022 where Secret Blizzard leveraged a cybercrime campaign to gain a foothold in Ukraine for deploying its backdoors. This approach highlights the group’s strategy of blending cybercrime with targeted cyber-espionage activities.
“Microsoft also assesses that in January 2024, Secret Blizzard used the backdoor of Storm-1837, a Russia-based threat actor that targets Ukrainian military drone pilots, to download the Tavdig and KazuarV2 backdoors on a target device in Ukraine.” reads the analysis published by Microsoft. “Commandeering other threat actors’ access highlights Secret Blizzard’s approach to diversifying its attack vectors, including using strategic web compromises (watering holes) and adversary-in-the-middle (AiTM) campaigns likely facilitated via legally mandated intercept systems in Russia such as the “System for Operative Investigative Activities” (SORM).”
Secret Blizzard usually employs spear phishing to gain initial access, followed by server-side and edge device compromises for lateral movement.
Amadey bots encoded system data to communicate with the C2 at http://vitantgroup[.]com/xmlrpc.php, attempting to download two plugins, cred64.dll and clip64.dll, likely for credential and clipboard data theft. Secret Blizzard’s use of a separate C2 URL suggests it lacked full control over the Amadey bot’s primary C2 mechanism.
Secret Blizzard selectively deployed a custom survey tool to the targeted devices, including Ukrainian front-line military systems using STARLINK IPs. The tool collected detailed system data, encrypted it with RC4, and sent it to C2 servers. The malware deployed the Tavdig backdoor and a legitimate Symantec binary to devices of interest for DLL-sideloading, enabling further reconnaissance. Tools like procmap.exe compiled malicious files for additional payloads, including the KazuarV2 backdoor.
Microsoft said it also detected the threat actor repurposing a PowerShell backdoor linked to a distinct Russia-based hacking group called Flying Yeti (aka Storm-1837 and UAC-0149) to deploy a PowerShell dropper that embeds Tavdig.
Microsoft is still investigating into how Secret Blizzard gained control of the Storm-1837 backdoor or Amadey bots to download its own tools.
Needless to say, the findings once again highlight the threat actor’s repeated pursuit of footholds provided by other parties, either by purchasing the access or stealing them, to conduct espionage campaigns in a manner that obscures its own presence.
Microsoft published Indicators of compromise (IoCs) for this campaign.
Last week, researchers from Microsoft Threat Intelligence announced they had collected evidence that the Russia-linked ATP group Secret Blizzard (aka Turla, Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has used the tools and infrastructure of at least 6 other threat actors during the past 7 years.
The experts reported that the Secret Blizzard threat actor is compromising the infrastructure of the Pakistan-based threat actor Storm-0156 to conduct cyber espionage campaigns on targets in South Asia.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Russia)
