| Category | Details |
|---|---|
| Threat Actors | UAC-0063, linked to APT28 (Russian GRU-affiliated group, also known as Fancy Bear, Sednit, etc.) |
| Campaign Overview | Cyber espionage campaign targeting Kazakhstan, involving spear-phishing with Microsoft Office documents to deploy malware (HATVIBE, CHERRYSPY). |
| Target Regions | Kazakhstan, Central Asia, East Asia, Eastern Europe |
| Methodology | Spear-phishing emails with malicious Microsoft Office documents; multi-stage infection chain (Double-Tap); use of HTA file with VBS backdoor (HATVIBE), Python backdoor (CHERRYSPY). |
| Product Targeted | Microsoft Office documents (weaponized for malware delivery) |
| Malware Reference | HATVIBE (loader), CHERRYSPY (Python backdoor), other malware related to APT28 |
| Tools Used | Legitimate Microsoft Office documents, HTA files, VBS scripts, mshta.exe, scheduled tasks, settings.xml file |
| Vulnerabilities Exploited | Likely unknown vulnerabilities related to document macros and file execution |
| TTPs | Spear-phishing, macro-based malware execution, anti-emulation, obfuscation (e.g., storing malicious code in settings.xml, using mshta.exe, scheduled task without schtasks.exe) |
| Attribution | UAC-0063 attributed to APT28 (Russia-linked), based on malware overlap and attack techniques |
| Recommendations | Enhanced email security, secure handling of macros, monitoring for unusual file execution and scheduled tasks |
| Source | The Hackers News |
Read full article: https://thehackernews.com/2025/01/russian-linked-hackers-target.html
The above summary has been generated by an AI language model
Leave a Reply