Priya Patel
TLDR:
- Ukrainian institutions targeted by spear-phishing campaign with HATVIBE and CHERRYSPY malware.
- Attack attributed to threat actor UAC-0063 linked to APT28, a Russia-linked nation-state group.
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about a spear-phishing campaign targeting a scientific research institution in the country using malware known as HATVIBE and CHERRYSPY. The attack, conducted by a threat actor named UAC-0063, involves sending phishing messages with macro-laced Microsoft Word attachments to employees.
The malicious attachment executes an encoded HTML Application (HTA) called HATVIBE, which creates persistence on the host and sets up a Python backdoor known as CHERRYSPY. This backdoor allows remote command execution. The attack exploits a security flaw in HTTP File Server for initial access.
UAC-0063 is linked to APT28, a Russia-affiliated nation-state group known by various names like BlueDelta and Fancy Bear. The attack comes amidst another phishing campaign targeting Ukrainian defense enterprises with booby-trapped PDF files linked to a Lua-based loader called DROPCLUE, which downloads a Remote Desktop program called Atera Agent.
This development highlights the ongoing cyber espionage and malware threats faced by Ukrainian institutions, with government entities and defense sectors being particularly vulnerable. It is crucial for organizations to remain vigilant and update their security measures to protect against such targeted attacks.
