The
advanced
persistent
threat
known
as
Winter
Vivern
has
been
linked
to
campaigns
targeting
government
officials
in
India,
Lithuania,
Slovakia,
and
the
Vatican
since
2021.
The
activity
targeted
Polish
government
agencies,
the
Ukraine
Ministry
of
Foreign
Affairs,
the
Italy
Ministry
of
Foreign
Affairs,
and
individuals
within
the
Indian
government,
SentinelOne
said
in
a
report
shared
with
The
Hacker
News.
“Of
particular
interest
is
the
APT’s
targeting
of
private
businesses,
including
telecommunications
organizations
that
support
Ukraine
in
the
ongoing
war,”
senior
threat
researcher
Tom
Hegel
said.
Winter
Vivern,
also
tracked
as
UAC-0114,
drew
attention
last
month
after
the
Computer
Emergency
Response
Team
of
Ukraine
(CERT-UA)
detailed
a
new
malware
campaign
aimed
at
state
authorities
of
Ukraine
and
Poland
to
deliver
a
piece
of
malware
dubbed
Aperetif.
Previous
public
reports
chronicling
the
group
show
that
it
has
leveraged
weaponized
Microsoft
Excel
documents
containing
XLM
macros
to
deploy
PowerShell
implants
on
compromised
hosts.
While
the
origins
of
the
threat
actor
are
unknown,
the
attack
patterns
suggest
that
the
cluster
is
aligned
with
objectives
that
support
the
interests
of
Belarus
and
Russia’s
governments.
UAC-0114
has
employed
a
variety
of
methods,
ranging
from
phishing
websites
to
malicious
documents,
that
are
tailored
to
the
targeted
organization
to
distribute
its
custom
payloads
and
gain
unauthorized
access
to
sensitive
systems.
In
one
batch
of
attacks
observed
in
mid-2022,
Winter
Vivern
set
up
credential
phishing
web
pages
to
lure
users
of
the
Indian
government’s
legitimate
email
service
email.gov[.]in.
Typical
attack
chains
involve
using
batch
scripts
masquerading
as
virus
scanners
to
trigger
the
deployment
of
the
Aperetif
trojan
from
actor-controlled
infrastructure
such
as
compromised
WordPress
sites.
Aperetif,
a
Visual
C++-based
malware,
comes
with
features
to
collect
victim
data,
maintain
backdoor
access,
and
retrieve
additional
payloads
from
the
command-and-control
(C2)
server.
“The
Winter
Vivern
APT
is
a
resource-limited
but
highly
creative
group
that
shows
restraint
in
the
scope
of
their
attacks,”
Hegel
said.
“Their
ability
to
lure
targets
into
the
attacks,
and
their
targeting
of
governments
and
high-value
private
businesses
demonstrate
the
level
of
sophistication
and
strategic
intent
in
their
operations.”
While
Winter
Vivern
may
have
managed
to
evade
the
public
eye
for
extended
periods
of
time,
one
group
that’s
not
too
concerned
about
staying
under
the
radar
is
Nobelium,
which
shares
overlaps
with
APT29
(aka
BlueBravo,
Cozy
Bear,
or
The
Dukes).
The
Kremlin-backed
nation-state
group,
notorious
for
the
SolarWinds
supply
chain
compromise
in
December
2020,
has
continued
to
evolve
its
toolset,
developing
new
custom
malware
like
MagicWeb
and
GraphicalNeutrino.
It
has
also
been
attributed
to
yet
another
phishing
campaign
directed
against
diplomatic
entities
in
the
European
Union,
with
specific
emphasis
on
agencies
that
are
“aiding
Ukrainian
citizens
fleeing
the
country,
and
providing
help
to
the
government
of
Ukraine.”
“Nobelium
actively
collects
intelligence
information
about
the
countries
supporting
Ukraine
in
the
Russia-Ukraine
war,”
BlackBerry
said.
“The
threat
actors
carefully
follow
geopolitical
events
and
use
them
to
increase
their
possibility
of
a
successful
infection.”
The
phishing
emails,
spotted
by
the
company’s
research
and
intelligence
team,
contain
a
weaponized
document
that
includes
a
link
pointing
to
an
HTML
file.
WEBINAR
Discover
the
Hidden
Dangers
of
Third-Party
SaaS
Apps
Are
you
aware
of
the
risks
associated
with
third-party
app
access
to
your
company’s
SaaS
apps?
Join
our
webinar
to
learn
about
the
types
of
permissions
being
granted
and
how
to
minimize
risk.
The
weaponized
URLs,
hosted
on
a
legitimate
online
library
website
based
in
El
Salvador,
features
lures
related
to
LegisWrite
and
eTrustEx,
both
of
which
are
used
by
E.U.
nations
for
secure
document
exchange.
The
HTML
dropper
(dubbed
ROOTSAW
or
EnvyScout)
delivered
in
the
campaign
embeds
an
ISO
image,
which,
in
turn,
is
designed
to
launch
a
malicious
dynamic
link
library
(DLL)
that
facilitates
the
delivery
of
a
next-stage
malware
via
Notion’s
APIs.
The
use
of
Notion,
a
popular
note-taking
application,
for
C2
communications
was
previously
revealed
by
Recorded
Future
in
January
2023.
It’s
worth
noting
that
APT29
has
employed
various
online
services
like
Dropbox,
Google
Drive,
Firebase,
and
Trello
in
an
attempt
to
evade
detection.
“Nobelium
remains
highly
active,
executing
multiple
campaigns
in
parallel
targeting
government
organizations,
non-governmental
organizations
(NGOs),
intergovernmental
organizations
(IGOs),
and
think
tanks
across
the
U.S.,
Europe,
and
Central
Asia,”
Microsoft
stated
last
month.
The
findings
also
come
as
enterprise
security
firm
Proofpoint
disclosed
aggressive
email
campaigns
orchestrated
by
a
Russia-aligned
threat
actor
called
TA499
(aka
Lexus
and
Vovan)
since
early
2021
to
trick
targets
into
participating
in
recorded
phone
calls
or
video
chats
and
extract
valuable
information.
“The
threat
actor
has
engaged
in
steady
activity
and
expanded
its
targeting
to
include
prominent
businesspeople
and
high-profile
individuals
that
have
either
made
large
donations
to
Ukrainian
humanitarian
efforts
or
those
making
public
statements
about
Russian
disinformation
and
propaganda,”
the
company
said.
this
article
interesting?
Follow
us
on
ï‚™
and
to
read
more
exclusive
content
we
post.
About Author
