The Russian nation-state threat actor, known as Secret Blizzard, has been observed to coordinate a new cyberspy campaign targeting foreign embassies in Moscow through enemy (AITM) attacks at the Internet Service Provider (ISP) level, providing custom malware called Apollozadow.
“Apolloshadow has the ability to install trusted root certificates on trick devices, trust malicious actor-controlled sites, and Secret Blizzard will maintain the tenacity of diplomatic devices, and are likely to be an intelligence collection,” the Microsoft Threat Intelligence team said in a report shared with Hacker News.
The activity has been rated as continuing since at least 2024, and the campaign poses a security risk to diplomatic personnel who rely on local ISPs in Russia or telecommunications services.
Secret Blizzard (formerly Krypton) belonging to the Russian Federation Security Services is also being tracked by the broader cybersecurity community under Monica’s Blue Python, Iron Hunter, Prince Ursa, Snake, Summit, Uroblo, Tara, Poisonous Bear, and Waterbug.
In December 2024, Microsoft and Lumen Technologies’ Black Lotus Labs revealed that hacking groups will use command and control (C2) infrastructure for threat actors based in Pakistan to carry out their own attacks as a way to carry out cloud attribution efforts.
The enemy has been observed piggybacks with malware associated with other threat actors to deliver Kazuar backdoors to target devices in Ukraine.
Windows Maker noted that the AITM location is facilitated by legal interception and obtains increased access to the system, including the installation of root certificates under the guise of Kaspersky Antivirus.
Initial access is achieved by threatening the actor-controlled infrastructure by placing the target device behind the captive portal, leading to the download and execution of Apolloshadow malware.
“Behind the Captive Portal, the Windows Test Connectivity Status Indicator will be launched. This is a legitimate service that sends an http get request to hxxp://www.msftconnecttest to determine whether the device has internet access or not.[.]com/redirect[.]com,” Microsoft said.
“When the system opens a browser window at this address, the system will be redirected to another actor control domain that may display certificate validation errors, prompting the target to download and run Apolloshadow.”
The malware hosts information on a C2 server and, if the device is not running with the default management settings, it runs a binary called certimatedb.exe and retrieves the unknown Visual Basic Script as a two-stage payload.
In the final step, the Apolloshadow process starts up again, presenting the user with a User Access Control (UAC) pop-up window, instructing the user to grant the highest privileges available to the user.
The execution path for Apolloshadow differs if the running process is already running with sufficiently high privileges. Set all networks private via a registry profile and create an admin user with the username updatetususer and hardcoded password, allowing persistent access to the machine.
“This induces several changes, including making host devices discoverable and relaxed firewall rules that allow file sharing,” the company said. “While we have not seen any direct attempts of lateral movement, the main reason for these modifications may reduce the difficulty of lateral movement on the network.”
Once this step is completed successfully, the victim will be presented with a window indicating that the digital certificate deployment is in progress and two root certificates will be installed on the machine using the Certutil utility. It also deletes a file called “wincert.js” which allows Mozilla Firefox to trust the root certificate.
To protect against secret blizzard activities, diplomatic entities operating in Moscow are encouraged to implement the principle of least privilege (POLP), review privileged groups regularly, route all traffic to trustworthy networks via encrypted tunnels, or use virtual private network (VPN) service providers.
Source link
