The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a spear-phishing attack targeting the country’s scientific research institutions using malware known as HATVIBE and CHERRYSPY.
The agency attributed the attack to a threat actor it tracks under the name UAC-0063, who has previously been seen targeting various government agencies using keyloggers and backdoors to collect sensitive information.
The attack is characterized by the use of compromised email accounts belonging to employees of the organization to send phishing messages containing Microsoft Word (DOCX) attachments with embedded macros to “dozens” of recipients.
Upon opening the document and enabling macros, an encoded HTML Application (HTA) named HATVIBE is executed, which sets up persistence on the host using a scheduled task and paves the way for a Python backdoor codenamed CHERRYSPY that is capable of executing commands issued by a remote server.
CERT-UA said it had detected “numerous instances” of HATVIBE infections exploiting a known security flaw in HTTP file servers (CVE-2024-23692, CVSS score: 9.8) to gain initial access.
UAC-0063 has been linked with medium confidence to a Russia-linked nation-state group known as APT28. APT28, also known as BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is affiliated with Russia’s strategic military intelligence unit, the GRU.
This development comes after CERT-UA published details of another phishing campaign targeting Ukrainian defense companies, using booby-trapped PDF files with embedded links that, when clicked, download an executable file (also known as GLUEEGG), which is responsible for decrypting and executing a Lua-based loader called DROPCLUE.
DROPCLUE is designed to open a decoy document to the victim while using the curl utility to secretly download a legitimate remote desktop program called Atera Agent. This attack is associated with a cluster tracked as UAC-0180.
