23 July 2024

Russia-linked hackers exploit critical Rejetto flaw to drop Hatvibe backdoor


Russia-linked hackers exploit critical Rejetto flaw to drop Hatvibe backdoor

The Governmental Computer Emergency Response Team of Ukraine (CERT-UA) has shared technical details of a cyberattack orchestrated by the UAC-0063 group against a Ukrainian research institution that utilized malicious software known as Hatvibe and Cherryspy.

During the initial compromise stage, the attacker accessed an employee's email account and sent a copy of a recently sent email to dozens of recipients, including the original sender. The attached document in the email was replaced with another document containing an embedded macro.

If the DOCX document was opened and the macro activated, it would create and open another document (DOC) with a macro. This macro would then generate an encoded HTA file of the HATVIBE malware "RecordsService" on the infected machine, as well as a scheduled task file "C:\Windows\System32\Tasks\vManage\StandaloneService" to execute the malware.

Exploiting this hidden remote control capability, the attackers later downloaded a Python interpreter and the Cherryspy malware file into the "C:\ProgramData\Python" directory on the infected computer. Unlike its previous version obfuscated with pyArmor, this iteration was compiled into a .pyd (DLL) file.

The activities tracked under identifier UAC-0063 are moderately confidently associated with the APT28 group (UAC-0001), directly linked to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Additionally, a DOCX document with a similar macro was found on VirusTotal, uploaded from Armenia on July 16, 2024.

The document's decoy content included a distorted text purportedly addressed to the Defense Policy Department of the Ministry of Defense of the Republic of Armenia from the International Military Cooperation Department of the Ministry of Defense of the Kyrgyz Republic.

In June 2024, numerous instances of Hatvibe backdoor installation were recorded, exploiting a vulnerability (CVE-2024-23692) in the HFS HTTP File Server software. The flaw is a template injection issue that can allow remote code execution.

Back to the list

Latest Posts

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA appears to be an updated version of the DadSec (also known as Phoenix) phishing kit.
2 December 2024
Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

CERT-UA attributes the activity to the financially motivated group UAC-0050.
2 December 2024
Hackers steal $17M from Uganda's central bank

Hackers steal $17M from Uganda's central bank

The attackers breached the central bank’s IT systems earlier this month and transferred the funds to various accounts.
2 December 2024