A Russia-linked advanced persistent threat (APT) actor tracked as Winter Vivern has been observed targeting government entities in several European and Asian countries.
Initially detailed in early 2021, the group is known to support the interests of the Belarusian and Russian governments, and was previously noted to target government organizations in India, Lithuania, Slovakia, and the Vatican.
Following reports published in February by Polish and Ukrainian authorities about new Winter Vivern activity targeting Ukraine, cybersecurity firm SentinelOne discovered additional campaigns that can be attributed to the group.
SentinelOne found that recent Winter Vivern attacks targeted government entities in Poland, Ukraine, Italy, and India, as well as telecommunication organizations in Ukraine.
As part of the observed attacks, the threat actor created individual pages on a malicious domain that mimicked the pages of a Polish anti-cybercrime agency and those of the Ukrainian security service and Ministry of Foreign Affairs.
Winter Vivern uses malicious Office documents in the attacks, and was seen using phishing web pages of government email credentials and targeting people associated with a Ukrainian government project guiding Russian and Belarusian soldiers seeking voluntary surrender, via malicious Excel spreadsheets.
According to SentinelOne, the APT likely has limited resources, but uses shared tools and legitimate Windows utilities in attacks, making it effective.
“Recent campaigns demonstrate the group’s use of decoys to start the infection process, using batch scripts disguised as virus scanners to trigger malware downloads from attacker-controlled servers,” the cybersecurity firm notes.
The malware deployed in recent attacks included Aperetif, a Remote Access Trojan (RAT) written in Visual C++ that can collect system information, maintain access to the infected system, and connect to the command and control (C&C) server to receive instructions or download additional payloads.
Winter Vivern also exploits known vulnerabilities to compromise targets and staging servers. One of the APT servers was seen to host the Acunetix Web Application Vulnerability Scanner, which is likely used to identify vulnerable networks and WordPress domains.
“Cyber threat actor Winter Vivern has been able to successfully carry out its attacks using simple but effective attack techniques and tools. His ability to attract targets for attacks and his targeting of high-value governments and private companies demonstrate the level of sophistication and strategic intent in his operations,” concludes SentinelOne.
Related: Microsoft flags Outlook zero-day attacks against Russian actor and offers detection script
Related: Russian Cyberspies Abusing EU Information Sharing Systems in Government Attacks
Related: Police Search for Russian Suspects After DoppelPaymer Ransomware Crackdown