By:
The advanced persistent threat known as Winter Vivern has been linked to campaigns targeting government officials in India, Lithuania, Slovakia, and the Vatican since 2021.
The activity targeted Polish government agencies, the Ukrainian Foreign Ministry, the Italian Foreign Ministry and people within the Indian government, SentinelOne said in a report shared with The Hacker News.
“Of particular interest is the APT’s targeting of private companies, including telecommunications organizations that support Ukraine in the ongoing war,” said lead threat researcher Tom Hegel.
Winter Vivern, also tracked as UAC-0114, came to attention last month after the Computer Emergency Response Team of Ukraine (CERT-UA) detailed a new malware campaign targeting Ukrainian and Polish state authorities to deliver a piece of malware called Aperetif.
Previous public reports on the group show that it has leveraged crafted Microsoft Excel documents containing XLM macros to deploy PowerShell implants on compromised hosts.
While the threat actor’s origins are unknown, attack patterns suggest the group is aligned with targets that support the interests of the Belarusian and Russian governments.
UAC-0114 has employed a variety of methods, ranging from phishing websites to malicious documents, tailored to the targeted organization to distribute its custom payloads and gain unauthorized access to sensitive systems.
In a batch of attacks observed in mid-2022, Winter Vivern set up credential phishing webpages to lure users of the legitimate Indian government email service email.gov[.]in.
Typical attack chains involve the use of batch scripts posing as virus scanners to trigger the deployment of the Aperetif Trojan from actor-controlled infrastructure, such as compromised WordPress sites.
Aperetif, a Visual C++-based malware, comes with functions to collect victim data, maintain backdoor access, and retrieve additional payloads from the command and control (C2) server.
“The Winter Vivern APT is a limited resource but highly creative group that shows restraint in the scope of its attacks,” Hegel said.
“Their ability to attract targets for attacks and their targeting of governments and high-value private companies demonstrate the level of sophistication and strategic intent in their operations.”
While Winter Vivern may have managed to evade the public spotlight for long periods of time, one group that isn’t too concerned about staying under the radar is Nobelium, who share overlays with APT29 (aka BlueBravo, Cozy Bear, or The Dukes). .
The Kremlin-backed nation-state group, known for its December 2020 SolarWinds supply chain compromise, has continued to evolve its toolkit, developing new custom malware such as MagicWeb and GraphicalNeutrino.
It has also been attributed to another phishing campaign targeting diplomatic entities in the European Union, with specific focus on agencies that “assist Ukrainian citizens fleeing the country and provide aid to the Ukrainian government.”
“Nobelium actively collects intelligence on countries supporting Ukraine in the Russia-Ukraine war,” BlackBerry said. “Threat actors carefully follow geopolitical events and use them to increase their chance of a successful infection.”
The phishing emails, detected by the company’s research and intelligence team, contain a crafted document that includes a link pointing to an HTML file.
WEBINARDDiscover the hidden dangers of third-party SaaS applicationsAre you aware of the risks associated with third-party application access to your company’s SaaS applications? Join our webinar to learn about the types of permits that are issued and how to minimize risk.RESERVE YOUR SEAT
The concocted URLs, hosted by a legitimate El Salvador-based online library website, feature lures related to LegisWrite and eTrustEx, both of which are used by EU nations for the secure exchange of documents.
The HTML dropper (called ROOTSAW or EnvyScout) delivered in the campaign embeds an ISO image which, in turn, is designed to launch a malicious dynamic link library (DLL) that facilitates the delivery of next-stage malware via the web. Notion API.
The use of Notion, a popular note-taking app, for C2 communications was previously revealed by Recorded Future in January 2023. It is worth noting that APT29 has employed various online services such as Dropbox, Google Drive, Firebase, and Trello in an attempt to to evade detection.
“Nobelium remains very active, running multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks in the US, Europe, and Central Asia,” Microsoft stated last month. past.
The findings also come as enterprise security firm Proofpoint revealed aggressive email campaigns orchestrated by a Russia-aligned threat actor named TA499 (also known as Lexus and Vovan) since early 2021 to trick targets into participating in recorded phone calls or video chats and extract valuable information.
“The threat actor has engaged in constant activity and has broadened its targeting to include prominent businessmen and high-profile individuals who have made large donations to Ukrainian humanitarian efforts or make public statements about Russian disinformation and propaganda,” the company said.
Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we publish.
