Secret Blizzard Deploys Kazuar Backdoor in Ukraine Using Amadey Malware-as-a-Service

Secret Blizzard Deploys Kazuar Backdoor in Ukraine Using Amadey Malware-as-a-Service

December 11, 2024 at 01:36PM

Russian threat actor Secret Blizzard has been using malware, specifically the Amadey bot, to deploy the Kazuar backdoor on Ukrainian military systems. This marks their continued strategy to utilize other hackers’ access for espionage. Microsoft reports the group uses various cyberattack methods to obtain covert intelligence.

### Meeting Takeaways – December 11, 2024: Malware / Cyber Espionage

1. **Threat Actor Identification**:
– The Russian nation-state actor known as **Secret Blizzard** (also referred to as **Turla**) is actively engaging in cyber espionage, particularly targeting Ukrainian military systems.

2. **Malware Usage**:
– Secret Blizzard is leveraging malware associated with other threat actors, specifically the **Amadey bot** malware, to deploy a backdoor called **Kazuar** on selected devices in Ukraine.

3. **Operational Tactics**:
– This marks the second occasion since 2022 where Secret Blizzard has utilized another cybercrime campaign’s infrastructure for its operations.
– Known tactics employed by Secret Blizzard include:
– **Adversary-in-the-Middle (AitM)** campaigns
– **Watering hole attacks** (strategic web compromises)
– **Spear-phishing**

4. **Target Sectors**:
– The group is known for targeting foreign affairs ministries, embassies, government entities, defense departments, and defense-related companies globally.

5. **Recent Activities**:
– Recently, Secret Blizzard hijacked **33 command-and-control (C2) servers** from a Pakistan-based group, **Storm-0156**, to further its objectives.
– Attacks on Ukrainian entities involve commandeering Amadey bots to deploy the **Tavdig** backdoor, which ultimately installs Kazuar on compromised systems.

6. **Tool Deployment**:
– Microsoft noted that the use of a PowerShell dropper to deliver malware suggests that Secret Blizzard may not have complete control over the Amadey C2 infrastructure, indicating a potential compromise of that infrastructure.

7. **Reconnaissance Goals**:
– The next phase of the attack involves downloading a reconnaissance tool to gather information about the victim’s device, including checking for security measures like **Microsoft Defender**.

8. **Complex Attack Pattern**:
– The attack methodology includes using a PowerShell backdoor linked to another Russian group (Flying Yeti) to deploy the Tavdig dropper, further complicating attribution efforts to Secret Blizzard.

9. **Final Observations**:
– Microsoft’s investigation into how Secret Blizzard obtained access to these tools and infrastructure continues.
– The findings underscored the group’s strategic approach to utilizing existing access from other actors to enhance its espionage capabilities while obscuring its operational footprint.

### Action Items:
– Keep monitoring developments related to Secret Blizzard and Amadey bot activities.
– Enhance awareness and defenses against similar multifaceted attacks involving third-party access exploitation.

For further updates and insights, follow us on our social media platforms.

Full Article