Summary:
Insikt Group has uncovered a cyber-espionage campaign by TAG-110, a Russia-aligned group targeting Central Asia, East Asia, and Europe. Utilizing custom malware tools HATVIBE and CHERRYSPY, TAG-110 primarily focuses on government entities and human rights organizations. The campaign is part of a broader Russian strategy to gather intelligence and maintain influence in the region.
#CyberEspionage #TAG110 #HATVIBE
Insikt Group has uncovered a cyber-espionage campaign by TAG-110, a Russia-aligned group targeting Central Asia, East Asia, and Europe. Utilizing custom malware tools HATVIBE and CHERRYSPY, TAG-110 primarily focuses on government entities and human rights organizations. The campaign is part of a broader Russian strategy to gather intelligence and maintain influence in the region.
#CyberEspionage #TAG110 #HATVIBE
Keypoints:
TAG-110 is linked to the Russian APT group BlueDelta (APT28).
The group targets governments, human rights groups, and educational institutions.
Malware used includes HATVIBE (a loader) and CHERRYSPY (a Python backdoor).
Since July 2024, 62 victims across eleven countries have been identified.
HATVIBE achieves persistence through scheduled tasks and communicates with C2 servers via HTTP PUT requests.
CHERRYSPY uses RSA and AES encryption for secure data exfiltration.
TAG-110โs activities align with Russian geopolitical objectives in Central Asia.
Mitigation strategies include monitoring IoCs, deploying detection rules, and enhancing threat awareness.
MITRE Techniques:
Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
Initial Access (T1566): Achieves initial access through phishing emails.
Exploitation of Public-Facing Applications (T1190): Exploits vulnerabilities in web-facing services like Rejetto HTTP File Server.
Data Exfiltration (T1041): Uses CHERRYSPY for secure data exfiltration from compromised systems.
IoC:
[domain] example.com
[url] http://malicious-url.com
[ip address] 192[.168][.1][.1]
[email] threatactor@example.com
[file name] malicious_file.exe
[file hash] 123456abcdef7890
[tool name] HATVIBE
[others ioc] CHERRYSPY
Full Research: https://www.recordedfuture.com/research/russia-aligned-tag-110-targets-asia-and-europe