After multiple exposures and disruptions, a Kremlin-sponsored advanced persistent threat actor has once again upgraded its evasion techniques.
That move was also exposed this week, by Microsoft.
Historically, it has focused its aim on public and private organizations in NATO member countries, typically in fields related to politics, defense, and related sectors - NGOs, think tanks, journalists, academic institutions, intergovernmental organizations, and so on.
In recent years, it has especially targeted individuals and organizations providing support for Ukraine.
For every successful breach, Star Blizzard is also known for its OpSec failures.
Microsoft disrupted the group in August 2022 and, in the time since, Recorded Future has tracked it as it not so subtly attempted to shift to new infrastructure.
On Thursday, Microsoft returned to report on its latest efforts at evasion.
These efforts include five primary new tricks, most notably the weaponization of email marketing platforms.
Microsoft declined to provide comment for this article.
Star Blizzard's Latest TTPs To aid in sneaking past email filters, Star Blizzard has started using password-protected PDF lure documents, or links to cloud-based file sharing platforms with the protected PDFs contained within.
The passwords to these documents typically come packaged in the same phishing email, or an email sent shortly after the first.
As small roadblocks for potential human analysis, Star Blizzard has begun using a domain name service provider as a reverse proxy - obscuring the IP addresses associated with its virtual private servers - and server-side JavaScript snippets intended to prevent automated scanning of its infrastructure.
It's also using a more randomized domain generation algorithm, to make detecting patterns in its domains more cumbersome.
As Microsoft points out however, Star Blizzard domains still share certain defining characteristics: they're typically registered with Namecheap, in groups that often use similar naming conventions, and they sport TLS certifications from Let's Encrypt.
Besides its smaller tricks, Star Blizzard has begun to utilize the email marketing services Mailerlite and HubSpot for directing its phishing escapades.
Sometimes the hackers have crossed tactics, embedding within the body of their password-protected PDFs the email marketing URLs they use to redirect to their malicious servers.
This combo removes the need to include its own domain infrastructure in the emails.
Recently, researchers observed the group using email marketing services to target think tanks and research organizations, using a common lure, with the goal of obtaining credentials for a U.S. grants management portal.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 07 Dec 2023 22:15:51 +0000