Ukrainian Research Institution Targeted by HATVIBE and CHERRYSPY Malware

July 23, 2024

The Ukrainian Computer Emergency Response Team (CERT-UA) has issued a warning regarding a spear-phishing campaign aimed at a Ukrainian scientific research institution. The campaign employs two types of malware, known as HATVIBE and CHERRYSPY. The attack is attributed to an entity known as UAC-0063, which has a history of targeting government organizations to extract sensitive data using keyloggers and backdoors.

The attack is carried out using a compromised email account of an employee within the targeted organization. The attacker then sends phishing emails to multiple recipients, attaching a Microsoft Word document embedded with malicious macros. Upon opening the document and enabling the macros, an encoded HTML Application (HTA) called HATVIBE is executed. This sets up persistence on the host through a scheduled task and enables a Python backdoor named CHERRYSPY, which can execute commands from a remote server.

CERT-UA has reported several instances of HATVIBE infections that exploit a known security vulnerability in HTTP File Server (CVE-2024-23692) to gain initial access. The threat actor UAC-0063 is believed to be linked to the Russia-associated nation-state group APT28, also known as BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. This group is believed to be affiliated with Russia's strategic military intelligence unit, the GRU.

CERT-UA has also reported another phishing campaign targeting Ukrainian defense enterprises. This campaign employs booby-trapped PDF files that contain a link. When clicked, the link downloads an executable known as GLUEEGG, responsible for decrypting and running a Lua-based loader called DROPCLUE. This loader opens a decoy document for the victim, while secretly downloading a legitimate Remote Desktop program named Atera Agent. This attack is linked to another cluster known as UAC-0180.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.