The advanced persistent threat known as Winter Vivern has been linked to campaigns targeting government officials in India, Lithuania, Slovakia, and the Vatican since 2021.
The activity targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and individuals within the Indian government, SentinelOne said in a report shared with The Hacker News.
Previous public reports chronicling the group show that it has leveraged weaponized Microsoft Excel documents containing XLM macros to deploy PowerShell implants on compromised hosts.
While the origins of the threat actor are unknown, the attack patterns suggest that the cluster is aligned with objectives that support the interests of Belarus and Russia’s governments.
Typical attack chains involve using batch scripts masquerading as virus scanners to trigger the deployment of the Aperetif trojan from actor-controlled infrastructure such as compromised WordPress sites.
Aperetif, a Visual C++-based malware, comes with features to collect victim data, maintain backdoor access, and retrieve additional payloads from the command-and-control (C2) server.
“The Winter Vivern APT is a resource-limited but highly creative group that shows restraint in the scope of their attacks,” Hegel said.
“Their ability to lure targets into the attacks, and their targeting of governments and high-value private businesses demonstrate the level of sophistication and strategic intent in their operations.”
The Kremlin-backed nation-state group, notorious for the SolarWinds supply chain compromise in December 2020, has continued to evolve its toolset, developing new custom malware like MagicWeb and GraphicalNeutrino.
It has also been attributed to yet another phishing campaign directed against diplomatic entities in the European Union, with specific emphasis on agencies that are “aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.”
The use of Notion, a popular note-taking application, for C2 communications was previously revealed by Recorded Future in January 2023. It’s worth noting that APT29 has employed various online services like Dropbox, Google Drive, Firebase, and Trello in an attempt to evade detection.
“The threat actor has engaged in steady activity and expanded its targeting to include prominent businesspeople and high-profile individuals that have either made large donations to Ukrainian humanitarian efforts or those making public statements about Russian disinformation and propaganda,” the company said.
Source: https://thehackernews.com/