Ukrainian Research Institution Targeted by HATVIBE and CHERRYSPY Malware
July 23, 2024
The Ukrainian Computer Emergency Response Team (CERT-UA) has issued a warning regarding a spear-phishing campaign aimed at a Ukrainian scientific research institution. The campaign employs two types of malware, known as HATVIBE and CHERRYSPY. The attack is attributed to an entity known as UAC-0063, which has a history of targeting government organizations to extract sensitive data using keyloggers and backdoors.
The attack is carried out using a compromised email account of an employee within the targeted organization. The attacker then sends phishing emails to multiple recipients, attaching a Microsoft Word document embedded with malicious macros. Upon opening the document and enabling the macros, an encoded HTML Application (HTA) called HATVIBE is executed. This sets up persistence on the host through a scheduled task and enables a Python backdoor named CHERRYSPY, which can execute commands from a remote server.
CERT-UA has reported several instances of HATVIBE infections that exploit a known security vulnerability in HTTP File Server (CVE-2024-23692) to gain initial access. The threat actor UAC-0063 is believed to be linked to the Russia-associated nation-state group APT28, also known as BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. This group is believed to be affiliated with Russia's strategic military intelligence unit, the GRU.
CERT-UA has also reported another phishing campaign targeting Ukrainian defense enterprises. This campaign employs booby-trapped PDF files that contain a link. When clicked, the link downloads an executable known as GLUEEGG, responsible for decrypting and running a Lua-based loader called DROPCLUE. This loader opens a decoy document for the victim, while secretly downloading a legitimate Remote Desktop program named Atera Agent. This attack is linked to another cluster known as UAC-0180.
Latest News
- CISA Updates Known Exploited Vulnerabilities Catalog with Adobe, SolarWinds, and VMware Bugs
- Critical Vulnerability in Cisco's Security Email Gateway Patched
- Critical Cisco Vulnerability Allows Password Alterations
- SolarWinds Patches Eight Critical Vulnerabilities in Access Rights Manager Software
- TAG-100: A New Cyber Threat Actor Leveraging Open-Source Tools for Global Attacks
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.