Winter Vivern APT group uses unknown set of espionage campaigns to strike government and private entities

SentinelLabs identified Winter Vivern APT (advanced persistent threat) activity, leveraging observations made by The Polish CBZC and Ukraine CERT. The hacker group employs various tactics, such as phishing websites, credential phishing, and deployment of malicious documents, tailored to the targeted organization’s specific needs. This results in the deployment of custom loaders and malicious documents, which enable unauthorized access to sensitive systems and information.

“Our analysis indicates that Winter Vivern’s activities are closely aligned with global objectives that support the interests of Belarus and Russia’s governments. The APT has targeted a variety of government organizations, and in a rare instance, a private telecommunication organization,” Tom Hegel, senior threat researcher at SentinelOne, wrote in a company blog post. The research team also uncovered a previously unknown set of espionage campaigns and targeting activities conducted by this threat actor.

Hegel added that the team’s analysis of Winter Vivern’s past activity indicates that the APT has targeted various government organizations since 2021, including those in Lithuania, India, the Vatican, and Slovakia. “Recently linked campaigns reveal that Winter Vivern has targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and individuals within the Indian government. Of particular interest is the APT’s targeting of private businesses, including telecommunications organizations that support Ukraine in the ongoing war,” he added.

The threat actor’s targeting of a range of government and private entities highlights the need for increased vigilance as their operations include a global set of targets directly and indirectly involved in the war.

Hegel identified that Winter Vivern’s tactics have included the use of malicious documents, often crafted from authentic government documents publicly available or tailored to specific themes. More recently, the group has utilized a new lure technique that involves mimicking government domains to distribute malicious downloads.

“In early 2023, Winter Vivern targeted specific government websites by creating individual pages on a single malicious domain that closely resembled those of Poland’s Central Bureau for Combating Cybercrime, the Ukraine Ministry of Foreign Affairs, and the Security Service of Ukraine,” he said. “In mid-2022, the attackers also made an interesting, lesser observed, use of government email credential phishing webpages.”

When the research team looked back at less recent activity, “we can see in December 2022 the group likely targeted individuals associated with the Hochuzhit[dot]com (‘I Want to Live’) project, the Ukraine government website offering guidance and instructions to Russian and Belarus Armed Forces seeking to voluntarily surrender in the war, Hegel said. “In these attacks, the threat actor made use of a macro-enabled Excel spreadsheet to infect the target. When the threat actor seeks to compromise the organization beyond the theft of legitimate credentials, Winter Vivern tends to rely on shared toolkits, and the abuse of legitimate Windows tools,” he added.

The research further identified that Winter Vivern APT falls into a category of scrappy threat actors, being quite resourceful and able to accomplish a lot with potentially limited resources while willing to be flexible and creative in their approach to problem-solving. Recent campaigns demonstrate the group’s use of lures to initiate the infection process, utilizing batch scripts disguised as virus scanners to prompt downloads of malware from attacker-controlled servers. 

The research detailed one malware family of recent activity ‘Apereitif,’ named by CERT-UA based on the development PDB path inside the sample. “We identified a related sample following similar use, although it is less complete in malicious design. These samples align with the theme of attacks mimicking a virus scanner, presenting users with fake scan results similar to the script loaders. Known samples are PE32 executables, written in Visual C++, with a compilation timestamp of May 2021. We assess the threat actor shifted from these original executables to the delivery of batch files with PowerShell scripting, with overlap in their use,” Hegel revealed.

Apereitif is a trojan, automating the collection of victim details, maintaining access, and beaconing outbound the actor-controlled domain marakanas[dot]com. As with the previous script, the trojan makes use of ‘whomami’ within PowerShell in its initial activity to beacon outbound for further instructions and/or downloads.

“Moreover, Winter Vivern employs other intrusion techniques, such as exploiting application vulnerabilities to compromise specific targets or staging servers,” Hegel said. “An attacker-controlled server was found to host a login page for the Acunetix web application vulnerability scanner, which may serve as a supplementary resource for scanning target networks and potentially used to compromise WordPress sites for malware hosting purposes.”

In conclusion, Hegel said that the Winter Vivern cyber threat actor, whose operations of espionage have been discussed in this research, has been able to carry out their attacks using simple yet effective attack techniques and tools. “Their ability to lure targets into the attacks and their targeting of governments and high-value private businesses demonstrate the level of sophistication and strategic intent in their operations. The dynamic set of TTPs and their ability to evade the public eye has made them a formidable force in the cyber domain,” he added.

Last July, SentinelLabs identified a new cluster of threat activity targeting Russian organizations increasingly under attack by Chinese APTs. The attacks use phishing emails to deliver Office documents to exploit targets to deliver their RAT of choice, most commonly ‘Bisonal.’ The firm also assesses ‘with high confidence that the threat actor responsible for the attacks is a Chinese state-sponsored cyber espionage group, as also recently noted by Ukraine CERT (CERT-UA).’

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.