Winter Vivern APT Group Targeting Indian, Lithuanian, Slovakian, and Vatican Officials
17.3.23  APT  The Hacker News
APT Group
The advanced persistent threat known as Winter Vivern has been linked to campaigns targeting government officials in India, Lithuania, Slovakia, and the Vatican since 2021.

The activity targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and individuals within the Indian government, SentinelOne said in a report shared with The Hacker News.

"Of particular interest is the APT's targeting of private businesses, including telecommunications organizations that support Ukraine in the ongoing war," senior threat researcher Tom Hegel said.

Winter Vivern, also tracked as UAC-0114, drew attention last month after the Computer Emergency Response Team of Ukraine (CERT-UA) detailed a new malware campaign aimed at state authorities of Ukraine and Poland to deliver a piece of malware dubbed Aperetif.

Previous public reports chronicling the group show that it has leveraged weaponized Microsoft Excel documents containing XLM macros to deploy PowerShell implants on compromised hosts.

While the origins of the threat actor are unknown, the attack patterns suggest that the cluster is aligned with objectives that support the interests of Belarus and Russia's governments.

UAC-0114 has employed a variety of methods, ranging from phishing websites to malicious documents, that are tailored to the targeted organization to distribute its custom payloads and gain unauthorized access to sensitive systems.

In one batch of attacks observed in mid-2022, Winter Vivern set up credential phishing web pages to lure users of the Indian government's legitimate email service email.gov[.]in.

Typical attack chains involve using batch scripts masquerading as virus scanners to trigger the deployment of the Aperetif trojan from actor-controlled infrastructure such as compromised WordPress sites.

Aperetif, a Visual C++-based malware, comes with features to collect victim data, maintain backdoor access, and retrieve additional payloads from the command-and-control (C2) server.

"The Winter Vivern APT is a resource-limited but highly creative group that shows restraint in the scope of their attacks," Hegel said.

"Their ability to lure targets into the attacks, and their targeting of governments and high-value private businesses demonstrate the level of sophistication and strategic intent in their operations."

While Winter Vivern may have managed to evade the public eye for extended periods of time, one group that's not too concerned about staying under the radar is Nobelium, which shares overlaps with APT29 (aka BlueBravo, Cozy Bear, or The Dukes).

The Kremlin-backed nation-state group, notorious for the SolarWinds supply chain compromise in December 2020, has continued to evolve its toolset, developing new custom malware like MagicWeb and GraphicalNeutrino.

It has also been attributed to yet another phishing campaign directed against diplomatic entities in the European Union, with specific emphasis on agencies that are "aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine."

"Nobelium actively collects intelligence information about the countries supporting Ukraine in the Russia-Ukraine war," BlackBerry said. "The threat actors carefully follow geopolitical events and use them to increase their possibility of a successful infection."

The phishing emails, spotted by the company's research and intelligence team, contain a weaponized document that includes a link pointing to an HTML file.
The weaponized URLs, hosted on a legitimate online library website based in El Salvador, features lures related to LegisWrite and eTrustEx, both of which are used by E.U. nations for secure document exchange.

The HTML dropper (dubbed ROOTSAW or EnvyScout) delivered in the campaign embeds an ISO image, which, in turn, is designed to launch a malicious dynamic link library (DLL) that facilitates the delivery of a next-stage malware via Notion's APIs.

The use of Notion, a popular note-taking application, for C2 communications was previously revealed by Recorded Future in January 2023. It's worth noting that APT29 has employed various online services like Dropbox, Google Drive, Firebase, and Trello in an attempt to evade detection.

"Nobelium remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the U.S., Europe, and Central Asia," Microsoft stated last month.

The findings also come as enterprise security firm Proofpoint disclosed aggressive email campaigns orchestrated by a Russia-aligned threat actor called TA499 (aka Lexus and Vovan) since early 2021 to trick targets into participating in recorded phone calls or video chats and extract valuable information.

"The threat actor has engaged in steady activity and expanded its targeting to include prominent businesspeople and high-profile individuals that have either made large donations to Ukrainian humanitarian efforts or those making public statements about Russian disinformation and propaganda," the company said.