Hackers With Ties To Russia Use HATVIBE Malware To Target Kazakhstan In An Espionage Campaign.
An Ongoing Cyber Espionage Campaign Targeting Kazakhstan As Part Of The Kremlin's Aim To Obtain Political And Economic Intelligence In Central Asia Has Been Traced To Threat Actors With Ties To Russia.
According To assessments, the effort was carried out by an intrusion set known as UAC-0063, which most likely shares similarities with APT28, a Nation-State organization connected to Russia's General Staff main intelligence Directorate ( GRU ). Other names for it include Iron Twilight, Forest Blizzard, Frozen Lake, Pawn Storm, Blue Athena, Blue Delta, Fancy Bear, Fighting Ursa, ITGOS, Sednit, Sofacy, and TA422. The Computer Emergency Response Team of Ukraine ( CERT-UA ) initially reported UAC-0063 in early 2023, describing it's use of malware families known as HATVIBE, CHERRY SPY, and STILL ARCH ( also known as Down Ex ) to attack Government Organizations.
It is important to note that this outfit has been the only one to use these malware variants. According to recorded future's Inskit group, which named the activity cluster TAG-110, further operations have been seen focusing on companies in Central Asia, East Asia, and Europe. According to a recent investigation by the French cybersecurity form Sekoia, " UAC-0063 targeting suggests a focus on intelligence collection in sectors such as Government, including diplomacy, NGOs, Academia, Energy, and Defense, with a Geographical focus on Ukraine, Centra Asia, and Eastern Europe."
The most recent round of attack uses spear-phishing lures to initiate a multi-stage infection chain called Double-Tap, which releases the HATVIBE Malware, utilizing authentic Microsoft office documents from the Republic of Kazakhstan's ministry of foreign affairs. Although the source of these documents is unknown at this time, it's impossible that they were exfiltrated during a previous effort.
In particular, the papers contain a malicious macro written to create a second blank document in the ' C:\Users\ [ USER ]\ AppData\Local\Temp\" folder when the victims run it." This second document is automatically opened in a hidden word instance by the initial macro, to drop and execute a malicious HTA ( HTML Application ) file embedding a VBS [ Visual Basic Script ] backdoor nick named ' HATVIBE,'" Sekoia researchers stated.
