Article Details
Scrape Timestamp (UTC): 2024-07-23 09:05:29.765
Source: https://thehackernews.com/2024/07/ukrainian-institutions-targeted-using.html
Original Article Text
Click to Toggle View
Ukrainian Institutions Targeted Using HATVIBE and CHERRYSPY Malware. The Computer Emergency Response Team of Ukraine (CERT-UA) has alerted of a spear-phishing campaign targeting a scientific research institution in the country with malware known as HATVIBE and CHERRYSPY. The agency attributed the attack to a threat actor it tracks under the name UAC-0063, which was previously observed targeting various government entities to gather sensitive information using keyloggers and backdoors. The attack is characterized by the use of a compromised email account belonging to an employee of the organization to send phishing messages to "dozens" of recipients containing a macro-laced Microsoft Word (DOCX) attachment. Opening the document and enabling macros results in the execution of an encoded HTML Application (HTA) named HATVIBE, which sets up persistence on the host using a scheduled task and paves the way for a Python backdoor codenamed CHERRYSPY, which is capable of running commands issued by a remote server. CERT-UA said it detected "numerous cases" of HATVIBE infections that exploit a known security flaw in HTTP File Server (CVE-2024-23692, CVSS score: 9.8) for initial access. UAC-0063 has been attributed to a Russia-linked nation-state group dubbed APT28 with moderate confidence. APT28, which is also referred to as BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is affiliated with Russia's strategic military intelligence unit, the GRU. The development comes as CERT-UA detailed another phishing campaign targeting Ukrainian defense enterprises with booby-trapped PDF files embedding a link that, when clicked, downloads an executable (aka GLUEEGG), which is responsible for decrypting and running a Lua-based loader called DROPCLUE. DROPCLUE is designed to open a decoy document to the victim, while covertly downloading a legitimate Remote Desktop program called Atera Agent using the curl utility. The attack has been linked to a cluster tracked as UAC-0180.
Daily Brief Summary
The Computer Emergency Response Team of Ukraine (CERT-UA) reported a spear-phishing attack targeting a scientific research institution using HATVIBE and CHERRYSPY malware.
The attack utilized a compromised email account to distribute macro-enabled DOCX files to multiple recipients.
Enabling macros in the document triggers the execution of HATVIBE, establishing persistence through scheduled tasks and leading to the deployment of the CHERRYSPY Python backdoor.
CHERRYSPY facilitates remote command execution, increasing the threat actor’s control over compromised systems.
The malware exploits a critical vulnerability in HTTP File Server (CVE-2024-23692) for initial access, signifying its high-risk level (CVSS score: 9.8).
CERT-UA attributes these attacks to UAC-0063, identified as a Russian nation-state group APT28, with links to Russia's military intelligence.
In a related campaign, Ukrainian defense enterprises were targeted with rigged PDFs leading to the deployment of a Lua-based loader, DROPCLUE, via another threat actor cluster, UAC-0180.