The threat actor known as COLDRIVER continues to conduct credential theft activities against entities of strategic interest to Russia while simultaneously improving its evasion capabilities.
The Microsoft Threat Intelligence team tracks down the cluster as Star Blizzard (formerly SEABORGIUM). It is also called Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), and TA446.
The enemy “continues to target individuals and organizations involved in international affairs, defense, and logistical support of Ukraine, as well as academia, information security companies, and other entities that consistent with the interests of the Russian state,” Redmond. SAYS.
Star Blizzard, which is linked to Russia’s Federal Security Service (FSB), has a track record of setting up look-alike domains that pretend to be the login pages of targeted companies. It has been known to be active since at least 2017.
Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology
Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.
In August 2023, Recorded Future revealed 94 new domains that are part of the actor’s attack infrastructure, most of which contain keywords related to information technology and cryptocurrency.
Microsoft says it has observed an adversary using server-side scripts to prevent automatic scanning of actor-controlled infrastructure starting in April 2023, bypassing hCaptcha to identify targets of interest and -redirect the browsing session to the Evilginx server.
“Following the POST request, the redirector server assesses the data collected from the browser and decides whether to allow continued browser redirection,” Microsoft said.
“When a good decision is reached, the browser receives a response from the redirection server, redirecting to the next stage of the chain, which is a hCaptcha for the user to solve, or directly to the Evilginx server.”
Star Blizzard also recently used email marketing services such as HubSpot and MailerLite to create campaigns that served as the starting point of a redirect chain that ended with the Evilginx server hosting the landing page. credential yield.
In addition, the threat actor has been observed using a domain name service (DNS) provider to resolve the domain infrastructure registered to the actor, sending password-protected bait PDFs that contain links to avoid processes email security as well as hosting files on Proton Drive.
That’s not all. In a sign that the threat actor is actively monitoring public reporting of its tactics and techniques, it has now improved its domain generation algorithm (DGA) to include a more random list of words when they are named. .
Despite these changes, “Star Blizzard’s activities remain focused on email credential theft, primarily targeting cloud-based email providers that host organizational and/or personal email accounts,” Microsoft said.
“Star Blizzard remains consistent in their use of pairs of dedicated VPSs hosting infrastructure controlled by the actor (redirector + Evilginx servers) used for spear-phishing activities, where each server typically host a separate actor registered domain.”
UK Imposes Two Star Blizzard Members
The development comes as the UK calls out Star Blizzard for “continued unsuccessful attempts to interfere in UK political processes” by targeting high-profile individuals and entities through operations in cyber.
Apart from linking Star Blizzard to Center 18, a subordinate element within the FSB, the UK government two members are allowed of the hacking crew – Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets (aka Alexey Doguzhiev) – for their involvement in spear-phishing campaigns.
The activity “resulted in the unauthorized access and exfiltration of sensitive data, which was intended to harm UK organizations and more specifically, the UK government,” it said.