Threat Research

Star Blizzard increases sophistication and evasion in ongoing attacks | Microsoft Security Blog

Securonix

Star Blizzard continues to escalate its attacks, showing greater sophistication and evasion through a sprawling, rotating domain infrastructure and the use of trusted TLS certificates. Microsoft researchers highlight these changes as part of ongoing operations leveraging numerous domains to host payloads and C2 traffic. #StarBlizzard #MicrosoftSecurityBlog

Keypoints

  • Star Blizzard has increased sophistication and evasion in ongoing attacks, according to Microsoft.
  • The threat actor relies on a large, dynamic infrastructure of attacker-controlled domains registered via NameCheap with TLS certificates issued by Let’s Encrypt to host payloads and C2 traffic.
  • Many domain names are crafted to mimic legitimate cloud, storage, and document services to deceive victims.
  • DNS and TLS usage appear as components of the attack infrastructure, underscoring a focus on stealth and reliability.
  • The article provides an extensive list of infrastructure domains as IOCs, illustrating the scale of the operation.
  • The findings indicate persistent, ongoing campaigns with rotating infrastructure to evade detections.
  • Overall, the operation demonstrates a shift toward domain-based C2 and scalable infrastructure acquisition to sustain attacks.

MITRE Techniques

  • [T1583] Acquire Infrastructure – The attackers register a broad network of domains and obtain TLS certificates to support operations. ‘the attackers register a broad network of domains and obtain TLS certificates…’
  • [T1071.001] Web Protocols – C2 communications occur over web channels using TLS, inferred from TLS certificate usage and domain hosting. ‘TLS certificates issued by Let’s Encrypt (CN=R3) indicate web-based channels’
  • [T1071.004] DNS – DNS provider resolving is part of the infrastructure, enabling covert or reliable communications. ‘DNS provider resolving’
  • [T1036] Masquerading – Domain names are crafted to resemble legitimate cloud/storage/document services to blend in with normal traffic. ‘domain names mimic cloud and storage services to deceive victims’

Indicators of Compromise

  • [Domain] context – centralitdef[.]com, rootgatewayshome[.]com, and 60+ other domains

Read more: https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/