Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY

Summary:
Insikt Group has uncovered a cyber-espionage campaign by TAG-110, a Russia-aligned group targeting Central Asia, East Asia, and Europe. Utilizing custom malware tools HATVIBE and CHERRYSPY, TAG-110 primarily focuses on government entities and human rights organizations. The campaign is part of a broader Russian strategy to gather intelligence and maintain influence in the region.
#CyberEspionage #TAG110 #HATVIBE

Keypoints:

  • TAG-110 is linked to the Russian APT group BlueDelta (APT28).
  • The group targets governments, human rights groups, and educational institutions.
  • Malware used includes HATVIBE (a loader) and CHERRYSPY (a Python backdoor).
  • Since July 2024, 62 victims across eleven countries have been identified.
  • HATVIBE achieves persistence through scheduled tasks and communicates with C2 servers via HTTP PUT requests.
  • CHERRYSPY uses RSA and AES encryption for secure data exfiltration.
  • TAG-110โ€™s activities align with Russian geopolitical objectives in Central Asia.
  • Mitigation strategies include monitoring IoCs, deploying detection rules, and enhancing threat awareness.

  • MITRE Techniques:

  • Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
  • Initial Access (T1566): Achieves initial access through phishing emails.
  • Exploitation of Public-Facing Applications (T1190): Exploits vulnerabilities in web-facing services like Rejetto HTTP File Server.
  • Data Exfiltration (T1041): Uses CHERRYSPY for secure data exfiltration from compromised systems.

  • IoC:

  • [domain] example.com
  • [url] http://malicious-url.com
  • [ip address] 192[.168][.1][.1]
  • [email] threatactor@example.com
  • [file name] malicious_file.exe
  • [file hash] 123456abcdef7890
  • [tool name] HATVIBE
  • [others ioc] CHERRYSPY


  • Full Research: https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-asia-and-europe