advanced and persistent threats known as bevern in winter has been linked to campaigns targeting government officials in India, Lithuania, Slovakia, and the Vatican since 2021.
The campaign targeted individuals within Polish government agencies, the Ukrainian Ministry of Foreign Affairs, the Italian Ministry of Foreign Affairs, and the Indian government, SentinelOne said in a report shared with The Hacker News.
“Of particular interest is the APT’s targeting of private companies, including telecommunications organizations, that support Ukraine in the ongoing war,” said senior threat researcher Tom Hegel. Said.
Winter Vivern, also tracked as UAC-0114, last month detailed a new malware campaign targeted at Ukrainian and Polish national authorities by the Ukrainian Computer Emergency Response Team (CERT-UA), reporting a malware called Aperetif. I got a lot of attention by distributing a part of it.
Previous public reports documenting this group show that they utilized weaponized Microsoft Excel documents containing XLM macros to deploy PowerShell implants to compromised hosts.
The origin of the attackers is unknown, but attack patterns suggest that the cluster is aligned with the interests of the governments of Belarus and Russia.
UAC-0114 employs a variety of methods, ranging from phishing websites to malicious documents, customized to targeted organizations to deliver custom payloads and gain unauthorized access to sensitive systems. increase.
In a series of attacks observed in mid-2022, Winter Vivern set up a credential phishing webpage to lure users of the Indian government’s legitimate email service email.gov.[.]of.
A typical attack chain uses a batch script disguised as a virus scanner to trigger the deployment of the Aperetif Trojan from an attacker-controlled infrastructure, such as a compromised WordPress site.
Aperetif, a Visual C++-based malware, has the ability to collect victim data, maintain backdoor access, and retrieve additional payloads from command and control (C2) servers.
“Winter Vivern APT is a very creative group with limited resources, but with a limited attack surface,” said Hegel.
“Their ability to lure targets into attack and their targeting of governments and high-value private companies shows the level of sophistication and strategic intent in their operations.”
Winter Vivern has been out of the public eye for a long time, but one group that’s less concerned about staying under the radar is Nobelium, which overlaps with APT29 (a.k.a. BlueBravo, Cozy Bear, or The Dukes). I’m here.
Infamous for the December 2020 SolarWinds supply chain breach, the Kremlin-backed nation-state group continues to evolve its toolset and develop new custom malware such as MagicWeb and GraphicalNeutrino.
It has also been attributed to another phishing campaign targeting EU diplomatic institutions, with a particular focus on institutions “helping Ukrainian citizens fleeing the country and providing assistance to the Ukrainian government.” is placed.
“Nobelium actively collects information about countries supporting Ukraine in the Russian-Ukrainian war,” said BlackBerry. Said“Attackers carefully track geopolitical events and use them to increase the chances of infection.”
Phishing emails discovered by the company’s research and intelligence team contain weaponized documents containing links to HTML files.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
The weaponized URL is hosted on a legitimate online library website based in El Salvador and features lures related to LegisWrite and eTrustEx. Both are used by EU countries for secure document exchange.
The HTML dropper (called ROOTSAW or EnvyScout) delivered with the campaign embeds the ISO image. It is designed to launch a malicious dynamic link library (DLL) that facilitates the delivery of the next stage malware via Notion’s API.
The use of Notion, a popular note-taking application, for C2 communications was previously revealed by Recorded Future in January 2023. APT29 is Dropbox, Google Drive, Firebase, and Torello Attempting to evade detection.
“Nobelium remains very active, running multiple parallel campaigns targeting government agencies, non-governmental organizations (NGOs), intergovernmental organizations (IGOs) and think tanks in the United States, Europe and Central Asia. increase.” said last month.
The findings also come as enterprise security firm Proofpoint has disclosed an aggressive email campaign orchestrated by a Russian-aligned threat actor dubbed TA499 (a.k.a. Lexus and Vovan) from early 2021. I was. This is intended to trick the target into joining a recorded phone call or video chat to extract valuable information.
“The threat actor has been steadily operating, targeting prominent businessmen and celebrities who have donated large amounts to Ukrainian humanitarian aid efforts and made public statements about Russian disinformation and propaganda. ,” said the company. Said.