'Winter Vivern' Running Espionage Campaigns to Support Russia and Belarus
Category: Threat Actor Activity | Industries: Government, Telecommunications | Level: Tactical | Source: SentinelLabs
'Winter Vivern,' suspected pro-Russian APT (advanced persistent threat) advanced hacking group, has been conducting espionage campaigns targeting European government organizations and telecommunication service providers. The group's actions align with the interests of the Russian and Belarusian governments, targeting government agencies and even telecommunication organizations supporting Ukraine. Researchers from SentinelLabs identified the threat actor initiating "various tactics, such as phishing websites, credential phishing, and deployment of malicious documents, that are tailored to the targeted organization’s specific needs. This results in the deployment of custom loaders and malicious documents, which enable unauthorized access to sensitive systems and information."
From the beginning of 2023, the hackers produced web pages imitating ones used by the Central Bureau for Combating Cybercrime in Poland, the Ministry of Foreign Affairs in Ukraine, and Ukraine's Security Service. The weaponized files were used to launch PowerShell running the 'Invoke-Expression' command to download additional payloads. SentinelLabs reports that the threat group functions on limited resources; however, their creativity compensates for these limitations. One example of Winter Vivern's resourcefulness is the use of Windows batch files to impersonate antivirus scanners while, in reality, downloading malicious payloads. A particular malware family used by Winter Vivern was labeled as "Aperetif" by CERT-UA. Aperetif malware has the ability to scan and extract files automatically, capture screenshots, and transmit all information in a base64-encoded format to a command and control server URL that is hardcoded.
- AVL_UC8310 - Malicious File Delivering Malware
Anvilogic Use Cases:
- AVL_UC1050 - Malicious Document Execution
- AVL_UC1037 - Invoke-Expression Command
- AVL_UC1116 - Executable Create Script Process