Microsoft has uncovered a long-running campaign by a threat group affiliated with Russian intelligence that has targeted diplomats working in Russia with a custom tool called ApolloShadow that enables the group to maintain persistence on victims’ devices as part of a cyberespionage operation.

The group is known as Secret Blizzard and Microsoft’s researchers found that it has the capability to conduct espionage activities at the ISP level, becoming a high level adversary in the middle (AITM). Secret Blizzard is an established, known threat actor that CISA attributes to Russia’s Federal Security Service. 

What Microsoft Found

  • Secret Blizzard is using a privileged position at the ISP level in Russia to gain initial access to devices by redirecting them through a captive portal, like the kind you might see when using a hotel or other public network. When a target device opens a browser connection, the attackers redirect the browser to a site they control and show a certificate validation error, which then prompts the victim to install AppoloShadow.
  • Microsoft said: “Following execution, ApolloShadow checks for the privilege level of the ProcessToken and if the device is not running on default administrative settings, then the malware displays the user access control (UAC) pop-up window to prompt the user to install certificates with the file name CertificateDB.exe, which masquerades as a Kaspersky installer to install root certificates and allow the actor to gain elevated privileges in the system.”
  • ApolloShadow can run with either low or elevated privileges. When it’s running with high privileges, the malware makes some changes to the target device that make remote file retrieval easier. ApolloShadow also installs two new root certificates to maintain persistence. 
  • From Microsoft’s report: “The malware must add a preference file to the Firefox preference directory because Firefox uses different certificate stores than browsers such as Chromium, which results in Firefox not trusting the root and enterprise store by default. ApolloShadow reads the registry key that points to the installation of the application and builds a path to the preference directory from there. A file is written to disk called wincert.js containing a preference modification for Firefox browsers, allowing Firefox to trust the root certificates added to the operating system’s certificate store.”

 It’s interesting to note that Secret Blizzard is conducting this kind of activity at the telco/ISP level, a highly privileged position that gives the group broad latitude in targeting and attack vectors. That capability means that Secret Blizzard would have the ability to target virtually any device that connects to the networks on which they have that visibility, not just those of high-value diplomatic targets. 

Secret Blizzard has been tracked by research teams for many years and is known by a variety of other names, including Turla, Snake, and Uroburos.

Note: Cisco and Duo are no longer affiliated with Decipher.  All opinions and content provided here from April 11 are solely that of Decipher and do not reflect opinions or content of Cisco Systems, Inc. or any of its affiliates.

  • Recent Posts

  • Recent Comments

    No comments to show.