Category | Details |
---|---|
Threat Actors | UAC-0063, overlapping with APT28 (Russia-nexus) |
Campaign Overview | Cyber espionage targeting Central Asia, including Kazakhstan, diplomatic and economic relations with Western and Asian countries |
Target Regions | Kazakhstan, Kyrgyzstan, Tajikistan, Ukraine, India, Israel, Mongolia, Afghanistan, Europe |
Methodology | Spear phishing with weaponized Word documents containing malicious macros |
Product Targeted | Microsoft Word |
Malware Reference | HATVIBE, CHERRYSPY |
Tools Used | Malicious macros, VBA scripts, HTA files, YARA rules, and scheduled tasks |
Vulnerabilities Exploited | Registry key modification to enable macros (AccessVBOM), bypassing security settings |
TTPs | Spearphishing, living-off-the-land binary (mshta.exe), Double-Tap infection chain, use of scheduled tasks for persistence, XOR encryption for payloads |
Attribution | Medium confidence linking UAC-0063 to APT28, potentially associated with GRU |
Recommendations | Monitor registry changes, detect scheduled tasks linked to mshta.exe, use YARA rules for identifying malicious macros, deploy Sigma rules for detection |
Source | Sekoia blog |
Read full article: https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/
The above summary has been generated by an AI language model
Leave a Reply