The HackerNews – The new findings come from the Microsoft threat intelligence team, which said it observed the adversary leveraging the Amadey bot malware to download custom malware onto “specifically selected” systems associated with the Ukrainian military between March and April 2024.
The activity is assessed to be the second time since 2022 that Secret Blizzard, also known as Turla, has latched onto a cybercrime campaign to propagate its own tools in Ukraine.
“Commandeering other threat actors’ access highlights Secret Blizzard’s approach to diversifying its attack vectors,” the company said in a report shared with The Hacker News.
Some of the other known methods employed by the hacking crew include adversary-in-the-middle (AitM) campaigns, strategic web compromises (aka watering hole attacks), and spear-phishing.
Secret Blizzard has a track record of targeting various sectors to facilitate long-term covert access for intelligence collection, but their primary focus is on ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies across the world.
The latest report comes a week after the tech giant, along with Lumen Technologies Black Lotus Labs, revealed Turla’s hijacking of 33 command-and-control (C2) servers of a Pakistan-based hacking group named Storm-0156 to carry out its own operations.
The attacks targeting Ukrainian entities entail commandeering Amadey bots to deploy a backdoor known as Tavdig, which is then used to install an updated version of Kazuar, which was documented by Palo Alto Networks Unit 42 in November 2023.
The cybercriminal activity tied to Amadey, which often includes the execution of the XMRig cryptocurrency miner, is being tracked by Microsoft under the moniker Storm-1919.
It’s believed that Secret Blizzard either used the Amadey malware-as-a-service (MaaS) or accessed the Amadey command-and-control (C2) panels stealthily to download a PowerShell dropper on target devices.
The dropper comprises a Base64-encoded Amadey payload that’s appended by a code segment, which calls back to a Turla C2 server.
“The need to encode the PowerShell dropper with a separate C2 URL controlled by Secret Blizzard could indicate that Secret Blizzard was not directly in control of the C2 mechanism used by the Amadey bot,” Microsoft said.
The next phase involves downloading a bespoke reconnaissance tool with an aim to collect details about the victim device and likely check if Microsoft Defender was enabled, ultimately enabling the threat actor to zero in on systems that are of further interest.
At this stage, the attack proceeds to deploy a PowerShell dropper containing the Tavdig backdoor and a legitimate Symantec binary that’s susceptible to DLL side-loading. Tavdig, for its part, is used to conduct additional reconnaissance and launch KazuarV2.
