@Talkback Resources
//
Cybersecurity researchers have unveiled advanced obfuscation tactics employed by APT28, a Russian state-sponsored threat actor, in their HTA Trojan. The investigation focuses on espionage campaigns targeting Central Asia and Kazakhstan diplomatic relations, revealing intricate multi-layer obfuscation strategies designed to evade detection. The analysis highlights the use of Microsoft’s VBE technique within HTA files as a core component of APT28’s malware delivery mechanism. This encoding method, facilitated by the Windows Script Encoder, transforms VBScript and JavaScript files into obfuscated formats that remain executable while concealing their true functionality.
The investigation uncovered that the malware leverages Windows’ vbscript.dll to generate embedded strings dynamically during execution. By analyzing these strings and their interaction with memory addresses, researchers were able to reconstruct the original VBScript payload hidden within the HTA file. Using publicly available tools like “vbe-decoder.py,” they successfully deobfuscated the encoded scripts, exposing the final malicious payload designed for espionage activities. This discovery underscores the need for robust malware analysis capabilities and proactive threat intelligence sharing within the cybersecurity community. References :
Classification:
@blog.sekoia.io
//
A Russian-linked APT group, known as UAC-0063, is actively targeting Kazakhstan and other Central Asian countries in a cyber espionage campaign. This group, which has connections to APT28 and Russian GRU cyber activities, is using spear-phishing tactics. They utilize weaponized Microsoft Office documents, designed to deploy the HATVIBE malware and CHERRYSPY. The campaign's goal is to gather economic and political intelligence. The Computer Emergency Response Team of Ukraine (CERT-UA) first detailed UAC-0063's activities in early 2023, noting that their targets include government entities across Ukraine, Central Asia, East Asia, and Europe.
The attack chain, dubbed "Double-Tap" by researchers, begins when a user enables a malicious macro in a spear-phishing document. This macro creates a second weaponized document and opens it in a hidden instance of Microsoft Word. This then executes a malicious HTA file embedding a VBS backdoor named HATVIBE. HATVIBE acts as a loader, downloading further VBS modules leading to the deployment of a Python backdoor known as CHERRYSPY. These techniques allow the malware to bypass security measures and maintain persistence. References :
Classification:
|