Go to listing page

Winter Vivern APT Targets European Government Entities With Aperetif

Winter Vivern APT Targets European Government Entities With Aperetif
Winter Vivern, an APT group working in support of the interests of the Russian and Belarusian governments, has been targeting governments around the world since 2021. Recently, it has been observed targeting authorities in Ukraine, Italy, and Poland, among others, via a new malware, dubbed Aperetif.

About the recent campaign

In a report, SentinelOne has revealed the details about recent activities of Winter Vivern (aka UAC-0114), which includes attacks on government agencies directly or indirectly related to the Ukraine-Russian conflict.
  • It has targeted the Italian Ministry of Foreign Affairs the Ukraine Ministry of Foreign Affairs, and other government agencies in Poland and India.
  • In a few instances, the group was observed targeting private businesses, mostly including telecommunication organizations that favor or support Ukraine.

Attack tactics

Winter Vivern leverages a variety of methods, including phishing websites and weaponized Excel documents laden with malicious macros to infect the target.
  • It uses batch scripts under the guise of virus scanners. When executed, the script downloads malware from the C2 server.
  • In one specific case, it used an XLS document, pretending to be a document related to Hochu Zhit (a popular Ukrainian website). When opened, the embedded macro executed a PowerShell script, establishing a connection with the C2 for further instructions.

One of the malware families used by Winter Vivern in recent attacks is Aperetif, about which CERT-UA issued a warning a month ago.

More about Aperetif

Aperetif is a Visual C++-based trojan, used to collect details of the victim, maintain backdoor access, and download additional payloads from the C2 server. 
  • Experts believe that this malware was compiled on or after May 25, 2022.
  • It is hosted on compromised WordPress websites and is downloaded on the targeted machine during the initial attack stage. 
  • It further uses PowerShell commands (such as whoami) to get the details about the infected system and establish a beacon to the C2 server for further instructions.

Ending notes

Winter Vivern has been using usual and ordinary phishing lures, such as fake websites or malicious documents to deploy its payloads. Moreover, its arsenal is very much limited, and experts suspect that it does not have access to a wide range of resources as other typical APT groups usually have. Possibly it could be a part of the typical cybercrime organizational structure, having a role of network penetration, and then providing the initial access to other groups, suggest security analysts.
Cyware Publisher

Publisher

Cyware