Pulse Detail — Threat Intelligence

PULSE NAME

Frequent freeloader: Russian actor using tools of other groups to attack Ukraine

WHITE Turla AlienVault 2024-12-13 Modified: 2024-12-13

IOCs

MEDIUM VOLUME

Russian nation-state actor Secret Blizzard has been observed using tools and infrastructure from other threat actors to compromise targets in Ukraine. Between March and April 2024, Secret Blizzard utilized the Amadey bot malware associated with cybercriminal activity to deploy its custom Tavdig and KazuarV2 backdoors on Ukrainian military devices. In January 2024, Secret Blizzard also leveraged a backdoor from Storm-1837, a Russia-based threat actor targeting Ukrainian drone pilots, to install its malware. This approach highlights Secret Blizzard's strategy of diversifying attack vectors and prioritizing access to military targets in Ukraine. The actor employs various techniques including strategic web compromises, adversary-in-the-middle campaigns, and spear-phishing for initial access.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1047 T1003 T1133 T1553.002 T1082 T1140 T1190 T1036 T1055 T1016 T1083 T1204 T1059.001 T1566 T1078 T1027 T1546 T1012 T1018 T1105

MALWARE FAMILIES

Amadey - S1025 Tavdig KazuarV2

Indicators of Compromise (24)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	123cdee8a31e52577191351fae7b53ef	—	2024-12-13
FileHash-MD5	62944e26b36b1dcace429ae26ba66164	—	2024-12-13
FileHash-MD5	d317ee086ebeccf5e01e002ca6b0ead9	—	2024-12-13
FileHash-MD5	db04aa6e158c5d52c20fc855f5285905	—	2024-12-13
FileHash-SHA1	2616da1697f7c764ee7fb558887a6a3279861fac	—	2024-12-13
FileHash-SHA1	48e8c5846d9c67649b3c2fb8d76aa951828dd84e	—	2024-12-13
FileHash-SHA1	822416dfa3f094aa6776ed0cad77fb9083db29a3	—	2024-12-13
FileHash-SHA1	e8e645d8844b9a19012238be6ab2c4149d62f1cf	—	2024-12-13
FileHash-SHA256	a56703e72f79b4ec72b97c53fbd8426eb6515e3645cb02e7fc99aaaea515273e	—	2024-12-13
FileHash-SHA256	ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f	—	2024-12-13
FileHash-SHA256	d26ac1a90f3b3f9e11491f789e55abe5b7d360df77c91a597e775f6db49902ea	—	2024-12-13
FileHash-SHA256	d7e528b55b2eeb6786509664a70f641f14d0c13ceec539737eef26857355536e	—	2024-12-13
FileHash-SHA256	dfdc0318f3dc5ba3f960b1f338b638cd9645856d2a2af8aa33ea0f9979a9ca4c	—	2024-12-13
FileHash-SHA256	ee8ef58f3bf0dab066eb608cb0f167b1585e166bf4730858961c192860ceffe9	—	2024-12-13
FileHash-SHA256	f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68	—	2024-12-13
URL	http://vitantgroup.com/xmlrpc.php	—	2024-12-13
URL	https://brauche-it.de/wp-includes/blocks/blocksu9ky0o	—	2024-12-13
URL	https://citactica.com/wp-content/wp-login.php	—	2024-12-13
URL	https://coworkingdeamicis.com/wp-includes/Text/TextYpRm9l	—	2024-12-13
URL	https://hospitalvilleroy.com.br/wp-includes/fonts/icons/	—	2024-12-13
URL	https://icw2016.coachfederation.cz/wp-includes/images/wp/	—	2024-12-13
URL	https://okesense.oketheme.com/wp-includes/sodium_compat/sodium_compatT4FF1a	—	2024-12-13
URL	https://plagnol-charpentier.fr/wp-includes/random_compat/random_compata0zW7Q	—	2024-12-13
URL	https://socprime.com/blog/uac-0149-attack-detection-hackers-launch-a-targeted-attack-against-the-armed-forces-of-ukraine-as-cert-ua-reports/	—	2024-12-13

References (1)

↗ https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/