Secret Blizzard is a Russian state-backed hacking group (also known as Turla, Venomous Bear, or Uroburos) that recently launched a sophisticated cyberespionage campaign using a custom malware called ApolloShadow. The group targeted foreign embassies in Moscow by leveraging adversary-in-the-middle (AitM) attacks at the ISP level.
ApolloShadow works by installing a rogue trusted root certificate on the victim’s device, which allows attackers to intercept and manipulate encrypted web traffic by making malicious sites appear trustworthy. This method enables persistent surveillance and easier credential theft. Initial infection typically occurs when embassy staff connect to local ISPs in Moscow, which redirect devices through a captive portal, prompting victims to download and run the malware. Once installed, ApolloShadow attempts to escalate its privileges to make network settings less secure, create a new admin user for backdoor access, and install certificates that bypass browser security warnings..
The malware campaign, active since at least 2024, is considered a severe espionage risk for diplomatic personnel using Russian networks. Microsoft Threat Intelligence specifically recommends that such entities use the principle of least privilege, regularly review privileged users, and route all network traffic through encrypted tunnels or reputable VPNs to reduce exposure to these attacks.
1. Initial Access and Delivery
- Adversary-in-the-Middle (AiTM) Attack: Secret Blizzard leverages privileged ISP-level placement in Russia to redirect embassy staff network connections through a captive portal, masquerading as a legitimate connectivity check.
- Captive Portal Exploit: The captive portal serves a fake Kaspersky Anti-Virus installer (CertificateDB.exe) to the user, which is the dropper for ApolloShadow.
2. Execution and Privilege Escalation
- Privilege Check: ApolloShadow checks the process token’s elevation status using the Windows
GetTokenInformationTypeAPI.- If not fully elevated, it triggers a User Access Control (UAC) pop-up, trying to trick users into allowing installation of root certificates (impersonating Kaspersky AV).
- Dual Execution Paths:
- Low Privilege: Executes minimal actions, attempts to elevate privileges.
- High Privilege: Engages in broad system modification.
3. Communication and Second-Stage Payload
- Beaconing: Sets up encoded GET requests to domains like
timestamp.digicert[.]com/registered, relaying system info as query parameters. DNS manipulation enables C2 communications even when domains appear legitimate. - Second-stage VBScript: If the response matches a certain header pattern, ApolloShadow decodes and writes a file (e.g.,
edgB4ACD.vbs) to the temp directory, which is then executed via Windows Script Host (wscript). This file likely contains additional payloads or C2 logic.
4. Persistence and Certificate Installation
- Certificate Installation:
- Writes two rogue root certificates to
%TEMP%, then usescertutil.exeto install them into Trusted Root and Enterprise CA stores:certutil.exe -f -Enterprise -addstore root "<path-to-temp-crt1>" certutil.exe -f -Enterprise -addstore ca "<path-to-temp-crt2>" - Deletes temporary certificate files post-install[1].
- Writes two rogue root certificates to
- Firefox Compatibility: Adds a
wincert.jsfile to Firefox’s preferences, settingsecurity.enterprise_roots.enabledto true, forcing Firefox to trust the rogue root certificate.
5. System & Network Reconfiguration
- Network Profile Manipulation:
- Modifies Windows Registry at
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles, changingCategoryvalue to0(sets networks to Private upon reboot). - Alternatively, immediately enables firewall rules for Network Discovery and File/Printer Sharing using COM objects, by referencing rules like
FirewallAPI.dll,-32752andFirewallAPI.dll,-28502.
- Modifies Windows Registry at
6. Backdoor Access
- Admin Account Creation: Uses Windows API
NetUserAddto create a local administrator accountUpdatusUserwith a pre-set, never-expiring password, giving the attacker persistent backdoor access if the malware is removed.
7. Obfuscation and Evasion
- String Obfuscation: Uses XOR encoding of critical strings with hardcoded keys, decoded only when needed and re-encoded immediately after use to reduce memory artifacts.
- Stealth: Registry changes (network profile) require a reboot (high stealth), while COM-based changes take effect immediately (less stealth).
Key Takeaways:
- Root certificate installation is the central technique—enabling long-term encrypted traffic interception, credential theft, and security bypass across multiple browsers.
- The attack is facilitated by privileged ISP/telecom access, illustrating severe risk in hostile network environments.
- Persistent backdoor accounts and system reconfiguration open the victim network to lateral movement and further exploitation.
This level of detail reflects the sophistication and multifaceted persistence of the ApolloShadow malware as deployed by the Secret Blizzard group.
