CyberSecurity news
FlagThis
@blog.sekoia.io - 47d
A Russian-linked APT group, known as UAC-0063, is actively targeting Kazakhstan and other Central Asian countries in a cyber espionage campaign. This group, which has connections to APT28 and Russian GRU cyber activities, is using spear-phishing tactics. They utilize weaponized Microsoft Office documents, designed to deploy the HATVIBE malware and CHERRYSPY. The campaign's goal is to gather economic and political intelligence. The Computer Emergency Response Team of Ukraine (CERT-UA) first detailed UAC-0063's activities in early 2023, noting that their targets include government entities across Ukraine, Central Asia, East Asia, and Europe.
The attack chain, dubbed "Double-Tap" by researchers, begins when a user enables a malicious macro in a spear-phishing document. This macro creates a second weaponized document and opens it in a hidden instance of Microsoft Word. This then executes a malicious HTA file embedding a VBS backdoor named HATVIBE. HATVIBE acts as a loader, downloading further VBS modules leading to the deployment of a Python backdoor known as CHERRYSPY. These techniques allow the malware to bypass security measures and maintain persistence.
ImgSrc: t7f4e9n3.delive
References :
The attack chain, dubbed "Double-Tap" by researchers, begins when a user enables a malicious macro in a spear-phishing document. This macro creates a second weaponized document and opens it in a hidden instance of Microsoft Word. This then executes a malicious HTA file embedding a VBS backdoor named HATVIBE. HATVIBE acts as a loader, downloading further VBS modules leading to the deployment of a Python backdoor known as CHERRYSPY. These techniques allow the malware to bypass security measures and maintain persistence.
ImgSrc: t7f4e9n3.delive
Share:
References :
- blog.sekoia.io: Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations
- ciso2ciso.com: Russia-linked APT UAC-0063 target Kazakhstan in with HATVIBE malware – Source: securityaffairs.com
- osint10x.com: Russian-Linked Hackers Target Kazakhstan in Espionage Campaign with HATVIBE Malware
- securityaffairs.com: Russia-linked APT UAC-0063 target Kazakhstan in with HATVIBE malware
- The Hacker News: Russian-Linked Hackers Target Kazakhstan in Espionage Campaign with HATVIBE Malware
- osint10x.com: Hackers with likely Kremlin ties target Kazakhstan in espionage campaign
- Osint10x: Hackers with likely Kremlin ties target Kazakhstan in espionage campaign
- ciso2ciso.com: Russia-linked APT UAC-0063 target Kazakhstan in with HATVIBE malware – Source: securityaffairs.com
- Sekoia.io Blog: 🚩 Russian APT Group Targets Kazakhstan Diplomacy with Double-Tap Malware Campaign
Classification:
- HashTags: #CyberEspionage #APT28 #CentralAsia
- Company: Russia
- Target: Kazakhstan
- Attacker: UAC-0063
- Product: Microsoft Office
- Feature: Cyber Espionage
- Malware: HATVIBE
- Type: Espionage
- Severity: Major