Russian Cyber Spies Target Organizations with Custom Malware


A Russian-aligned hacking group is conducting a cyber espionage campaign across Europe and Asia, according to Recorded Future.

Insikt Group, Recorded Future’s threat intelligence team, has shared in a November 21 report that a group it tracks as TAG-110 has been using custom malware to compromise government entities, human rights groups and educational institutions.

The researchers have identified 62 unique victims targeted by two TAG-110’s custom malware strains, HatVibe and CherrySpy, across eleven countries, with the most identified victims in Central Asia.

This new campaign allegedly started in July 2024, with 62 unique victims from Armenia, China, Greece, Hungary, India, Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.

The majority were in Central Asian countries (Tajikistan, Kyrgyzstan, Turkmenistan and Kazakhstan), with notable victims including the National Center for Human Rights of the Republic of Uzbekistan, KMG-Security, a subsidiary of the Kazakh state-owned oil and gas enterprise KazMunayGas and a Tajik educational and research institution.

Previous reports have detailed that TAG-110 alongside its primary targets in Central Asia, secondary targets include India, Israel, Mongolia and Ukraine.

Insikt Group believes TAG-110’s motivation is to acquire intelligence to bolster Russiaʼs military efforts in Ukraine and gather insights into geopolitical events in neighboring countries.

Unpacking TAG-110’s Latest Espionage Campaign

Victims have been targeted by two of TAG-110’s custom malware strains, HatVibe and CherrySpy, across eleven countries.

HatVibe is a custom HTML application (HTA) loader primarily designed to deploy additional malware, such as the CherrySpy backdoor, but can also execute arbitrary VBScript. Likely delivered through malicious Word documents or by exploiting vulnerabilities like CVE-2024-23692, HatVibe achieves persistence via a scheduled task that runs the HTA file using mshta.exe. The loader employs two layers of obfuscation: VBScript encoding and XOR encryption, making detection and analysis challenging.

CherrySpy is a Python-based backdoor used for espionage. It is deployed alongside a Python interpreter by HatVibe and maintains persistence through scheduled tasks.

In its latest campaign, CherrySpy has been compiled into a Python Dynamic Module (.pyd) file to evade detection.

It establishes a secure connection with its command-and-control server via HTTP POST requests, using RSA and AES encryption for key exchange and data security. CherrySpy also includes unique identifiers, such as a hard-coded 24-character ID and an SHA-256 checksum, to ensure its integrity during communication.

The group also uses LogPie and StilLarch custom malware.

TAG-110, A Likely Subset of APT28

The new campaign, which allegedly started in July 2024, aligns with historical UAC-0063 reporting, which Ukraine’s Computer Emergency Response Team (CERT-UA) first identified in May 2023 and attributed with moderate confidence to the Russian state-sponsored advanced persistent threat (APT) group BlueDelta (APT28).

CERT-UA showed that UAC-0063 used CherrySpy as early as the beginning of 2023, with a focus on Central Asia.

APT28 has historically been associated with cyber espionage campaigns across Central Asia.

“While CERT-UAʼs moderate confidence attribution to BlueDelta cannot be confirmed at this time, TAG-110ʼs activity does overlap with BlueDeltaʼs strategic interests in the areas of national security, military operations, and geopolitical influence,” said the Insikt Group report.

Recorded Future’s Recommended Mitigation Measures

The researchers anticipate that TAG-110 will conduct similar campaigns in the near term, likely with a continued focus on the post-Soviet Central Asian states along Russiaʼs periphery, as well as Ukraine and its supporting states.

To prevent and mitigate TAG-110, Recorded Future recommended:

  • Using intrusion detection systems (IDS), intrusion prevention systems (IPS) or any network defense mechanisms
  • Using the Snort, Suricata, and YARA rules to alert on network communications linked to HatVibe and CherrySpy and searching for infection in your network
  • Using Process Monitor to monitor for Scheduled Tasks created via mshta.exe to detect HatVibeʼs attempts to establish persistence
  • Ensuring prompt patching of vulnerable software
  • Enforcing strong security awareness through proactive and interactive exercises
  • Training users to recognize phishing emails, exercise caution when clicking on links or opening attachments in emails
  • Enabling multifactor authentication (MFA) whenever possible



Source link