Ethical Hacking News
Russia-linked threat actor UAC-0063 has targeted Kazakhstan with its HATVIBE malware, as part of a sophisticated cyber espionage campaign aimed at gathering economic and political intelligence in the region. This incident highlights Russia's expanding cyber warfare reach and the increasing sophistication of these threats.
Russia-linked cyber threat actor UAC-0063 has been involved in a sophisticated cyber espionage campaign targeting Kazakhstan. The group's arsenal includes multiple malware families such as HATVIBE, CHERRYSPY, and STILLARCH (aka DownEx). A recent cyber espionage campaign used weaponized Kazakh Ministry of Foreign Affairs documents to target government entities in Central Asia. The campaign employed various tricks to bypass security solutions, including storing malicious macro code in the settings.xml file. Russia's expanding cyber warfare reach is a significant concern for governments and organizations worldwide.
Russia's expanding cyber warfare reach has once again come to light, this time targeting the Central Asian nation of Kazakhstan. According to recent reports, Russia-linked threat actor UAC-0063 has been involved in a sophisticated cyber espionage campaign aimed at gathering economic and political intelligence in the region.
The first detailed activity of UAC-0063 was reported by the Computer Emergency Response Team of Ukraine (CERT-UA) in early 2023. The group's arsenal includes multiple malware families such as HATVIBE, CHERRYSPY, and STILLARCH (aka DownEx). These malware families have been used to target government entities in various regions, including Ukraine, Central Asia, East Asia, and Europe.
In a recent development, President Putin's state visit to Kazakhstan on November 27, 2024, was followed by a cyber espionage campaign using weaponized Kazakh Ministry of Foreign Affairs documents. The documents, when enabled with a malicious macro, created a second blank document in the C:\Users\[USER]\AppData\Local\Temp\ folder. This document was populated from variables present in the settings.xml of the first document and weaponized by adding a malicious macro to it.
The macro launched a hidden Microsoft Word instance to open the second malicious document, which would execute its macro in a stealthy way after the AccessVBOM registry key had been modified. The report published by Sekoia attributes the attacks to Russia-linked UAC-0063, overlapping with APT28.
Further analysis revealed that HATVIBE acts as a loader, downloading VBS modules leading to the deployment of the Python backdoor CHERRYSPY. The Double-Tap campaign, similar to Zebrocy infections, uses VBA scripts, registry modifications, and scheduled tasks for persistence. UAC-0063 links the activity to the GRU's APT28 group.
What makes this Double-Tap infection chain quite unique is that it employs many tricks to bypass security solutions such as storing the real malicious macro code in the settings.xml file and creating a scheduled task without spawning schtasks.exe for the second document or using, for the first document, an anti-emulation trick aimed at seeing if the execution time has not been altered, otherwise the macro is stopped.
The incident highlights Russia's expanding cyber warfare reach and its increasing sophistication. The use of sophisticated malware families such as HATVIBE and CHERRYSPY demonstrates the group's ability to adapt and evolve in response to changing security measures.
In addition to this incident, there have been recent reports of other threats targeting Fortinet FortiGate firewalls and Aviatrix Controller flaws. These incidents demonstrate the ongoing threat landscape and the need for continued vigilance and awareness among cybersecurity professionals.
In conclusion, Russia's expanding cyber warfare reach is a significant concern for governments and organizations around the world. The use of sophisticated malware families such as HATVIBE and CHERRYSPY by groups like UAC-0063 highlights the increasing sophistication of these threats. As the threat landscape continues to evolve, it is essential that cybersecurity professionals stay informed and adapt their defenses accordingly.
Related Information:
https://securityaffairs.com/173064/apt/uac-0063-target-kazakhstan-hatvibe-malware.html
Published: Tue Jan 14 14:07:09 2025 by llama3.2 3B Q4_K_M
