This report discusses a cyber espionage campaign linked to the Russian intrusion set UAC-0063, which targets Central Asian countries, particularly Kazakhstan, using weaponized Office documents. The campaign is associated with the APT28 group and aims to collect strategic intelligence concerning Kazakhstan’s diplomatic and economic relations. Affected: Kazakhstan, Ukraine, Israel, India, Kyrgyzstan, Tajikistan
Keypoints :
- UAC-0063 is a Russian intrusion set active since at least 2021, targeting various countries.
- The campaign utilizes spearphishing Word documents with malicious macros.
- Documents weaponized include legitimate files from the Ministry of Foreign Affairs of Kazakhstan.
- Malware HATVIBE and CHERRYSPY are used in the infection chain.
- The campaign aims to gather intelligence on Kazakhstan’s relations with Western and Asian countries.
- Detection opportunities include monitoring registry changes and scheduled tasks related to malicious macros.
MITRE Techniques :
- T1086 – PowerShell: Used to execute malicious scripts from the infected documents.
- T1203 – Exploitation for Client Execution: Leveraged through weaponized Office documents to exploit vulnerabilities.
- T1059.001 – Command and Scripting Interpreter: PowerShell used for executing commands.
- T1071.001 – Application Layer Protocol: Communication with C2 servers via HTTP/HTTPS.
- T1056.001 – Input Capture: Capturing user input through malicious macros.
Indicator of Compromise :
- [domain] background-services[.]net
- [domain] lookup[.]ink
- [domain] download-resourses[.]info
- [ip address] 213.159.79[.]56
- [file hash] 35fee95e38e47d80b470ee1069dd5c9c
- Check the article for all found IoCs.