Winter Vivern APT Group Targeting Indian, Lithuanian, Slovakian, and Vatican Officials

The advanced persistent threat known as Winter
Vivern has been linked to campaigns targeting government
officials in India, Lithuania, Slovakia, and the Vatican since
2021.

The activity targeted Polish government agencies, the Ukraine
Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs,
and individuals within the Indian government, SentinelOne said in a
report shared with The Hacker News.

“Of particular interest is the APT’s targeting of private
businesses, including telecommunications organizations that support
Ukraine in the ongoing war,” senior threat researcher Tom Hegel
said^[1].

Winter Vivern, also tracked as UAC-0114, drew attention^[2]
last month after the Computer Emergency Response Team of Ukraine
(CERT-UA) detailed a new malware campaign aimed at state
authorities of Ukraine and Poland to deliver a piece of malware
dubbed Aperetif.

Previous public reports chronicling the group show that it has
leveraged weaponized Microsoft Excel documents containing XLM
macros to deploy PowerShell implants on compromised hosts.

While the origins of the threat actor are unknown, the attack
patterns suggest that the cluster is aligned with objectives that
support the interests of Belarus and Russia’s governments.

UAC-0114 has employed a variety of methods, ranging from
phishing websites to malicious documents, that are tailored to the
targeted organization to distribute its custom payloads and gain
unauthorized access to sensitive systems.

In one set of attacks observed in mid-2022, Winter Vivern set up
credential phishing web pages to lure users of the Indian
government’s legitimate email service email.gov[.]in.

Typical attack chains involve using batch scripts masquerading
as virus scanners to trigger the deployment of the Aperetif trojan
from actor-controlled infrastructure such as compromised WordPress
sites.

Aperetif, a Visual C++-based malware, comes with features to
collect victim data, maintain backdoor access, and retrieve
additional payloads from the command-and-control (C2) server.

“The Winter Vivern APT is a resource-limited but highly creative
group that shows restraint in the scope of their attacks,” Hegel
said.

“Their ability to lure targets into the attacks, and their
targeting of governments and high-value private businesses
demonstrate the level of sophistication and strategic intent in
their operations.”

While Winter Vivern may have managed to evade the public eye for
extended periods of time, one group that’s not too concerned about
staying under the radar is Nobelium, which shares overlaps with
APT29 (aka BlueBravo, Cozy Bear, or The Dukes).

The Kremlin-backed nation-state group, notorious for the
SolarWinds supply chain
compromise^[3] in December 2020, has
continued to evolve its toolset, developing new custom malware like
MagicWeb^[4]
and GraphicalNeutrino^[5].

It has also been attributed to yet another phishing campaign
directed against diplomatic entities in the European Union, with
specific emphasis on agencies that are “aiding Ukrainian citizens
fleeing the country, and providing help to the government of
Ukraine.”

“Nobelium actively collects intelligence information about the
countries supporting Ukraine in the Russia-Ukraine war,” BlackBerry
said^[6]. “The threat actors
carefully follow geopolitical events and use them to increase their
possibility of a successful infection.”

The phishing emails, spotted by the company’s research and
intelligence team, contain a weaponized document that includes a
link pointing to an HTML file.

The weaponized URLs, hosted on a legitimate online library
website based in El Salvador, features lures related to LegisWrite
and eTrustEx, both of which are used by E.U. nations for secure
document exchange.

The HTML dropper (dubbed ROOTSAW or EnvyScout^[8]) delivered in the
campaign embeds an ISO image, which, in turn, is designed to launch
a malicious dynamic link library (DLL) that facilitates the
delivery of a next-stage malware via Notion’s APIs.

The use of Notion, a popular note-taking application, for C2
communications was previously revealed by Recorded Future in
January 2023. It’s worth noting that APT29 has employed^[9]
various online services like Dropbox, Google Drive^[10], Firebase, and Trello^[11] in an attempt to evade
detection.

“Nobelium remains highly active, executing multiple campaigns in
parallel targeting government organizations, non-governmental
organizations (NGOs), intergovernmental organizations (IGOs), and
think tanks across the U.S., Europe, and Central Asia,” Microsoft
stated^[12] last month.

The findings also come as enterprise security firm Proofpoint
disclosed aggressive email campaigns orchestrated by a
Russia-aligned threat actor called TA499 (aka Lexus and Vovan)
since early 2021 to trick targets into participating in recorded
phone calls or video chats and extract valuable information.

“The threat actor has engaged in steady activity and expanded
its targeting to include prominent businesspeople and high-profile
individuals that have either made large donations to Ukrainian
humanitarian efforts or those making public statements about
Russian disinformation and propaganda,” the company said^[13].