| Category | Details |
|---|---|
| Threat Actors | UAC-0063, overlapping with APT28 (Russia-nexus) |
| Campaign Overview | Cyber espionage targeting Central Asia, including Kazakhstan, diplomatic and economic relations with Western and Asian countries |
| Target Regions | Kazakhstan, Kyrgyzstan, Tajikistan, Ukraine, India, Israel, Mongolia, Afghanistan, Europe |
| Methodology | Spear phishing with weaponized Word documents containing malicious macros |
| Product Targeted | Microsoft Word |
| Malware Reference | HATVIBE, CHERRYSPY |
| Tools Used | Malicious macros, VBA scripts, HTA files, YARA rules, and scheduled tasks |
| Vulnerabilities Exploited | Registry key modification to enable macros (AccessVBOM), bypassing security settings |
| TTPs | Spearphishing, living-off-the-land binary (mshta.exe), Double-Tap infection chain, use of scheduled tasks for persistence, XOR encryption for payloads |
| Attribution | Medium confidence linking UAC-0063 to APT28, potentially associated with GRU |
| Recommendations | Monitor registry changes, detect scheduled tasks linked to mshta.exe, use YARA rules for identifying malicious macros, deploy Sigma rules for detection |
| Source | Sekoia blog |
Read full article: https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/
The above summary has been generated by an AI language model
Leave a Reply