The Governmental Computer Emergency Response Team of Ukraine (CERT-UA) has shared technical details of a cyberattack orchestrated by the UAC-0063 group against a Ukrainian research institution that utilized malicious software known as Hatvibe and Cherryspy.
During the initial compromise stage, the attacker accessed an employee's email account and sent a copy of a recently sent email to dozens of recipients, including the original sender. The attached document in the email was replaced with another document containing an embedded macro.
If the DOCX document was opened and the macro activated, it would create and open another document (DOC) with a macro. This macro would then generate an encoded HTA file of the HATVIBE malware "RecordsService" on the infected machine, as well as a scheduled task file "C:\Windows\System32\Tasks\vManage\StandaloneService" to execute the malware.
Exploiting this hidden remote control capability, the attackers later downloaded a Python interpreter and the Cherryspy malware file into the "C:\ProgramData\Python" directory on the infected computer. Unlike its previous version obfuscated with pyArmor, this iteration was compiled into a .pyd (DLL) file.
The activities tracked under identifier UAC-0063 are moderately confidently associated with the APT28 group (UAC-0001), directly linked to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Additionally, a DOCX document with a similar macro was found on VirusTotal, uploaded from Armenia on July 16, 2024.
The document's decoy content included a distorted text purportedly addressed to the Defense Policy Department of the Ministry of Defense of the Republic of Armenia from the International Military Cooperation Department of the Ministry of Defense of the Kyrgyz Republic.
In June 2024, numerous instances of Hatvibe backdoor installation were recorded, exploiting a vulnerability (CVE-2024-23692) in the HFS HTTP File Server software. The flaw is a template injection issue that can allow remote code execution.