Press ESC to close

Double-Tap Campaign : Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations

Category Details
Threat Actors UAC-0063, overlapping with APT28 (Russia-nexus)
Campaign Overview Cyber espionage targeting Central Asia, including Kazakhstan, diplomatic and economic relations with Western and Asian countries
Target Regions Kazakhstan, Kyrgyzstan, Tajikistan, Ukraine, India, Israel, Mongolia, Afghanistan, Europe
Methodology Spear phishing with weaponized Word documents containing malicious macros
Product Targeted Microsoft Word
Malware Reference HATVIBE, CHERRYSPY
Tools Used Malicious macros, VBA scripts, HTA files, YARA rules, and scheduled tasks
Vulnerabilities Exploited Registry key modification to enable macros (AccessVBOM), bypassing security settings
TTPs Spearphishing, living-off-the-land binary (mshta.exe), Double-Tap infection chain, use of scheduled tasks for persistence, XOR encryption for payloads
Attribution Medium confidence linking UAC-0063 to APT28, potentially associated with GRU
Recommendations Monitor registry changes, detect scheduled tasks linked to mshta.exe, use YARA rules for identifying malicious macros, deploy Sigma rules for detection
Source Sekoia blog

Read full article: https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/

The above summary has been generated by an AI language model

Stay Updated with Our Newsletter

  

Source: Sekoia

Published on: January 14, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *