Russian hackers deploy HATVIBE and CHERRYSPY malware across Europe and Asia.

420/67 Tuesday, November 26, 2024

A Russian-linked cyber threat group has been identified as the perpetrator behind a cyber-espionage campaign targeting Central Asia, East Asia, and Europe. The campaign utilizes custom-tailored malware to steal critical information. According to Insikt Group, part of Recorded Future, the threat actor has been named TAG-110, which has ties to the UAC-0063 group tracked by CERT-UA (Computer Emergency Response Team of Ukraine) and is linked to the APT28 hacking group, also known as Fancy Bear.

TAG-110’s operations date back to 2021, leveraging malware known as HATVIBE and CHERRYSPY. HATVIBE acts as a loader to deploy CHERRYSPY, a Python-based backdoor used for data theft and espionage. The use of these tools was first detected in May 2023, targeting Ukrainian government agencies. By 2024, the malware infiltrated a scientific research institution in an undisclosed country. TAG-110 has since expanded its attacks to countries including Tajikistan, Kyrgyzstan, Kazakhstan, Turkmenistan, Uzbekistan, Armenia, China, Hungary, India, Greece, and Ukraine. In Central Asia alone, 62 victims across 11 countries have been identified, underscoring the region’s strategic importance for intelligence gathering in support of Russia’s geopolitical objectives.

The group’s attack methods exploit vulnerabilities in publicly available web applications, such as Rejetto HTTP File Server, and employ phishing emails to deliver HATVIBE. Once inside the target system, HATVIBE facilitates the installation of CHERRYSPY, which collects and exfiltrates sensitive data.

Beyond cyber-espionage, Russia has intensified sabotage operations targeting critical infrastructure in Europe since its invasion of Ukraine in February 2022. Countries such as Estonia, Finland, Latvia, Lithuania, Norway, and Poland have been targeted to destabilize NATO allies and reduce support for Ukraine. Recorded Future highlights these efforts as part of Russia’s hybrid warfare strategy, combining cyberattacks, sabotage, and influence operations to achieve objectives without escalating to full-scale war. As tensions between Russia and the West persist, these attacks are expected to increase in frequency and severity. Experts recommend that targeted nations enhance cybersecurity measures, fortify critical infrastructure, and closely monitor suspicious activities.

Source https://thehackernews.com/2024/11/russian-hackers-deploy-hatvibe-and.html