Home Security Winter Vivern APT Group Focusing on Indian, Lithuanian, Slovakian, and Vatican Officers

Winter Vivern APT Group Focusing on Indian, Lithuanian, Slovakian, and Vatican Officers

by crpt os


The advanced persistent threat known as Winter Vivern has been linked to campaigns targeting government officials in India, Lithuania, Slovakia, and the Vatican since 2021.

The activity targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and individuals within the Indian government, SentinelOne said in a report shared with The Hacker News.

“Of particular interest is the APT’s targeting of private businesses, including telecommunications organizations that support Ukraine in the ongoing war,” senior threat researcher Tom Hegel said.

Winter Vivern, also tracked as UAC-0114, drew attention last month after the Computer Emergency Response Team of Ukraine (CERT-UA) detailed a new malware campaign aimed at state authorities of Ukraine and Poland to deliver a piece of malware dubbed Aperetif.

Previous public reports chronicling the group show that it has leveraged weaponized Microsoft Excel documents containing XLM macros to deploy PowerShell implants on compromised hosts.

While the origins of the threat actor are unknown, the attack patterns suggest that the cluster is aligned with objectives that support the interests of Belarus and Russia’s governments.

UAC-0114 has employed a variety of methods, ranging from phishing websites to malicious documents, that are tailored to the targeted organization to distribute its custom payloads and gain unauthorized access to sensitive systems.

In one set of attacks observed in mid-2022, Winter Vivern set up credential phishing web pages to lure users of the Indian government’s legitimate email service email.gov[.]in.

Typical attack chains involve using batch scripts masquerading as virus scanners to trigger the deployment of the Aperetif trojan from actor-controlled infrastructure such as compromised WordPress sites.

Aperetif, a Visual C++-based malware, comes with features to collect victim data, maintain backdoor access, and retrieve additional payloads from the command-and-control (C2) server.

“The Winter Vivern APT is a resource-limited but highly creative group that shows restraint in the scope of their attacks,” Hegel said.

“Their ability to lure targets into the attacks, and their targeting of governments and high-value private businesses demonstrate the level of sophistication and strategic intent in their operations.”

While Winter Vivern may have managed to evade the public eye for extended periods of time, one group that’s not too concerned about staying under the radar is Nobelium, which shares overlaps with APT29 (aka BlueBravo, Cozy Bear, or The Dukes).

The Kremlin-backed nation-state group, notorious for the SolarWinds supply chain compromise in December 2020, has continued to evolve its toolset, developing new custom malware like MagicWeb and GraphicalNeutrino.

It has also been attributed to yet another phishing campaign directed against diplomatic entities in the European Union, with specific emphasis on agencies that are “aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.”

“Nobelium actively collects intelligence information about the countries supporting Ukraine in the Russia-Ukraine war,” BlackBerry said. “The threat actors carefully follow geopolitical events and use them to increase their possibility of a successful infection.”

The phishing emails, spotted by the company’s research and intelligence team, contain a weaponized document that includes a link pointing to an HTML file.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The weaponized URLs, hosted on a legitimate online library website based in El Salvador, features lures related to LegisWrite and eTrustEx, both of which are used by E.U. nations for secure document exchange.

The HTML dropper (dubbed ROOTSAW or EnvyScout) delivered in the campaign embeds an ISO image, which, in turn, is designed to launch a malicious dynamic link library (DLL) that facilitates the delivery of a next-stage malware via Notion’s APIs.

The use of Notion, a popular note-taking application, for C2 communications was previously revealed by Recorded Future in January 2023. It’s worth noting that APT29 has employed various online services like Dropbox, Google Drive, Firebase, and Trello in an attempt to evade detection.

“Nobelium remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the U.S., Europe, and Central Asia,” Microsoft stated last month.

The findings also come as enterprise security firm Proofpoint disclosed aggressive email campaigns orchestrated by a Russia-aligned threat actor called TA499 (aka Lexus and Vovan) since early 2021 to trick targets into participating in recorded phone calls or video chats and extract valuable information.

“The threat actor has engaged in steady activity and expanded its targeting to include prominent businesspeople and high-profile individuals that have either made large donations to Ukrainian humanitarian efforts or those making public statements about Russian disinformation and propaganda,” the company said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex