CyberSecurity news

FlagThis - #APT28

@Talkback Resources //
Cybersecurity researchers have unveiled advanced obfuscation tactics employed by APT28, a Russian state-sponsored threat actor, in their HTA Trojan. The investigation focuses on espionage campaigns targeting Central Asia and Kazakhstan diplomatic relations, revealing intricate multi-layer obfuscation strategies designed to evade detection. The analysis highlights the use of Microsoft’s VBE technique within HTA files as a core component of APT28’s malware delivery mechanism. This encoding method, facilitated by the Windows Script Encoder, transforms VBScript and JavaScript files into obfuscated formats that remain executable while concealing their true functionality.

The investigation uncovered that the malware leverages Windows’ vbscript.dll to generate embedded strings dynamically during execution. By analyzing these strings and their interaction with memory addresses, researchers were able to reconstruct the original VBScript payload hidden within the HTA file. Using publicly available tools like “vbe-decoder.py,” they successfully deobfuscated the encoded scripts, exposing the final malicious payload designed for espionage activities. This discovery underscores the need for robust malware analysis capabilities and proactive threat intelligence sharing within the cybersecurity community.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Virus Bulletin: Cisco Talos researcher Joey Chen describes how Lotus Blossom uses Sagerunex and other hacking tools for post-compromise activities. The espionage operation targets government, manufacturing, telecommunications & media organizations from Philippines, Vietnam, Hong Kong & Taiwan.
  • gbhackers.com: Lotus Blossom Hacker Group Uses Dropbox, Twitter, and Zimbra for C2 Communications
  • Talkback Resources: Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools
  • www.cysecurity.news: Cisco Talos Uncovers Lotus Blossom’s Multi-Campaign Cyber Espionage Operations
  • Cyber Security News: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics in Detail
  • gbhackers.com: Researchers Unveil APT28’s Advanced HTA Trojan Obfuscation Tactics
  • securityaffairs.com: Chinese Lotus Blossom APT targets multiple sectors with Sagerunex backdoor
Classification:
@blog.sekoia.io //
A Russian-linked APT group, known as UAC-0063, is actively targeting Kazakhstan and other Central Asian countries in a cyber espionage campaign. This group, which has connections to APT28 and Russian GRU cyber activities, is using spear-phishing tactics. They utilize weaponized Microsoft Office documents, designed to deploy the HATVIBE malware and CHERRYSPY. The campaign's goal is to gather economic and political intelligence. The Computer Emergency Response Team of Ukraine (CERT-UA) first detailed UAC-0063's activities in early 2023, noting that their targets include government entities across Ukraine, Central Asia, East Asia, and Europe.

The attack chain, dubbed "Double-Tap" by researchers, begins when a user enables a malicious macro in a spear-phishing document. This macro creates a second weaponized document and opens it in a hidden instance of Microsoft Word. This then executes a malicious HTA file embedding a VBS backdoor named HATVIBE. HATVIBE acts as a loader, downloading further VBS modules leading to the deployment of a Python backdoor known as CHERRYSPY. These techniques allow the malware to bypass security measures and maintain persistence.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • blog.sekoia.io: Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations
  • ciso2ciso.com: Russia-linked APT UAC-0063 target Kazakhstan in with HATVIBE malware – Source: securityaffairs.com
  • osint10x.com: Russian-Linked Hackers Target Kazakhstan in Espionage Campaign with HATVIBE Malware
  • securityaffairs.com: Russia-linked APT UAC-0063 target Kazakhstan in with HATVIBE malware
  • The Hacker News: Russian-Linked Hackers Target Kazakhstan in Espionage Campaign with HATVIBE Malware
  • osint10x.com: Hackers with likely Kremlin ties target Kazakhstan in espionage campaign
  • Osint10x: Hackers with likely Kremlin ties target Kazakhstan in espionage campaign
  • ciso2ciso.com: Russia-linked APT UAC-0063 target Kazakhstan in with HATVIBE malware – Source: securityaffairs.com
  • Sekoia.io Blog: 🚩 Russian APT Group Targets Kazakhstan Diplomacy with Double-Tap Malware Campaign
Classification:
  • HashTags: #CyberEspionage #APT28 #CentralAsia
  • Company: Russia
  • Target: Kazakhstan
  • Attacker: UAC-0063
  • Product: Microsoft Office
  • Feature: Cyber Espionage
  • Malware: HATVIBE
  • Type: Espionage
  • Severity: Major