Full Report
The Russian nation-state actor tracked as Secret Blizzard has been observed leveraging malware associated with other threat actors to deploy a known backdoor called Kazuar on target devices located in Ukraine. The new findings come from the Microsoft threat intelligence team, which said it observed the adversary leveraging the Amadey bot malware to download custom malware onto "specifically
Analysis Summary
# Threat Actor: Secret Blizzard (Turla)
## Attribution & Identity
* **Attribution:** Russian nation-state actor.
* **Known Aliases:** Turla.
* **Associated Groups/Activity:** Observed leveraging malware associated with the cybercrime operation tracked by Microsoft as Storm-1919 (Amadey bot). Also repurposed a PowerShell backdoor tied to Flying Yeti.
## Activity Summary
Secret Blizzard was observed between March and April 2024 exploiting access gained via the Amadey botnet to deploy their custom malware on systems associated with the Ukrainian military. This marks the second time since 2022 that the group has latched onto a cybercrime campaign to propagate its tools in Ukraine. The actor also recently hijacked 33 C2 servers of the Pakistan-based hacking group Storm-0156.
## Tactics, Techniques & Procedures
* **Command & Control (C2) Hijacking/Leveraging:** Commenting or piggybacking off other threat actors' or cybercrime infrastructure.
* **Malware Chaining:** Using initial access (via Amadey bots) to download a PowerShell dropper, which then calls back to a Turla C2 server.
* **Reconnaissance:** Deploying a bespoke reconnaissance tool to collect system details and check for Microsoft Defender enablement.
* **DLL Side-Loading:** Utilized a legitimate Symantec binary susceptible to DLL side-loading.
* **Observed Techniques (General):** Adversary-in-the-Middle (AitM) campaigns, strategic web compromises (watering hole attacks), and spear-phishing.
## Targeting
* **Sectors:** Ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies.
* **Geography:** Ukraine (primary focus in the recent activity); Global presence generally.
* **Victims:** Specifically selected systems associated with the Ukrainian military (March-April 2024).
## Tools & Infrastructure
* **Malware Families Used:**
* Kazuar (specifically an updated version, KazuarV2).
* Tavdig (PowerShell backdoor).
* Amadey bot malware (used for initial access/delivery).
* PowerShell dropper.
* **Infrastructure (C2, domains, IPs):**
* Custom C2 servers controlled by Secret Blizzard (used for the PowerShell dropper callback).
## Implications
Secret Blizzard utilizes other threat actors' footholds (purchased or stolen access) as an obfuscation technique to frustrate attribution, diversify attack vectors, and obscure its own presence while conducting long-term intelligence collection operations.
## Mitigations
* Monitor for unusual C2 callback mechanisms originating from initial access brokers or compromised cybercrime infrastructure (e.g., PowerShell dropper appending a separate, actor-controlled C2 URL).
* Implement robust endpoint detection and response (EDR) capable of detecting DLL side-loading abuses involving legitimate binaries.
* Monitor for known tools and TTPs associated with Storm-1919 (Amadey) activity that deviates into deploying sophisticated espionage backdoors like Kazuar or Tavdig.