Secret Blizzard Deploys Kazuar Backdoor in Ukraine Using Amadey Malware-as-a-Service

Dec 11, 2024Ravie LakshmananMalware / Cyber Espionage

The Russian nation-state actor known as Secret Blizzard has been identified using malware from other threat actors to deploy the Kazuar backdoor on devices in Ukraine.

These new insights were provided by the Microsoft threat intelligence team, who observed Secret Blizzard using the Amadey bot malware to install custom malware on specific Ukrainian military systems between March and April 2024.

This marks the second instance since 2022 that Secret Blizzard, also known as Turla, has inserted its own tools into cybercrime campaigns targeting Ukraine.

According to a report shared with The Hacker News, the company noted that Secret Blizzard diversifies its attack methods by leveraging other threat actors’ access.

The group has been involved in adversary-in-the-middle campaigns, strategic web compromises, and spear-phishing attacks, in addition to commandeering Amadey bots for its operations.

Secret Blizzard primarily targets ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies worldwide to establish covert access for intelligence gathering.

Recently, Microsoft and Lumen Technologies Black Lotus Labs disclosed Secret Blizzard’s hijacking of 33 command-and-control servers of a Pakistan-based hacking group named Storm-0156 for its operations.

The attacks in Ukraine involve using Amadey bots to deploy the Tavdig backdoor, which then installs an updated version of the Kazuar backdoor reported by Palo Alto Networks Unit 42 in November 2023.

Microsoft is monitoring the cybercriminal activity associated with Amadey under the name Storm-1919, which often includes deploying the XMRig cryptocurrency miner.

Secret Blizzard likely used the Amadey malware-as-a-service (MaaS) or covertly accessed Amadey command-and-control (C2) panels to download a PowerShell dropper onto target devices. This dropper includes a Base64-encoded Amadey payload with a code segment that connects to a Turla C2 server.

Microsoft pointed out that encoding the PowerShell dropper with a separate C2 URL controlled by Secret Blizzard suggests that the group might not have direct control over the Amadey bot’s C2 mechanism.

Subsequently, a custom reconnaissance tool is downloaded to gather device information and check for Microsoft Defender presence, allowing the threat actor to focus on specific systems of interest.

The attack then proceeds to deploy a PowerShell dropper containing the Tavdig backdoor and a vulnerable Symantec binary for DLL side-loading. Tavdig is used for further reconnaissance and launching KazuarV2.

Microsoft also detected Secret Blizzard repurposing COOKBOX, a PowerShell backdoor linked to another Russian hacking group called Flying Yeti, to deploy a PowerShell dropper embedding Tavdig.

An investigation is ongoing to determine how Secret Blizzard gained control of the Storm-1837 backdoor or Amadey bots to deploy its own tools, according to Microsoft.

These findings underscore Secret Blizzard’s strategy of leveraging access from other parties, either by purchasing or stealing it, to conduct espionage activities while concealing its presence.

Sherrod DeGrippo, director of Threat Intelligence Strategy at Microsoft, mentioned to The Hacker News that although state-sponsored threat actors typically use dedicated infrastructure for their operations, using other actors’ tactics or tools is uncommon and can complicate attribution.

If you found this article informative, follow us on Twitter  and LinkedIn for more exclusive content.