Category | Details |
---|---|
Threat Actors | UAC-0063, linked to APT28 (Russian GRU-affiliated group, also known as Fancy Bear, Sednit, etc.) |
Campaign Overview | Cyber espionage campaign targeting Kazakhstan, involving spear-phishing with Microsoft Office documents to deploy malware (HATVIBE, CHERRYSPY). |
Target Regions | Kazakhstan, Central Asia, East Asia, Eastern Europe |
Methodology | Spear-phishing emails with malicious Microsoft Office documents; multi-stage infection chain (Double-Tap); use of HTA file with VBS backdoor (HATVIBE), Python backdoor (CHERRYSPY). |
Product Targeted | Microsoft Office documents (weaponized for malware delivery) |
Malware Reference | HATVIBE (loader), CHERRYSPY (Python backdoor), other malware related to APT28 |
Tools Used | Legitimate Microsoft Office documents, HTA files, VBS scripts, mshta.exe, scheduled tasks, settings.xml file |
Vulnerabilities Exploited | Likely unknown vulnerabilities related to document macros and file execution |
TTPs | Spear-phishing, macro-based malware execution, anti-emulation, obfuscation (e.g., storing malicious code in settings.xml, using mshta.exe, scheduled task without schtasks.exe) |
Attribution | UAC-0063 attributed to APT28 (Russia-linked), based on malware overlap and attack techniques |
Recommendations | Enhanced email security, secure handling of macros, monitoring for unusual file execution and scheduled tasks |
Source | The Hackers News |
Read full article: https://thehackernews.com/2025/01/russian-linked-hackers-target.html
The above summary has been generated by an AI language model
Leave a Reply