APT28 has been observed conducting cyber espionage activities focusing on Central Asia and Kazakhstan. This analysis explores a heavily obfuscated malware sample, assessing its capabilities, particularly its use of VBScript and interaction with a command-and-control server. Affected: APT28, Central Asia, Kazakhstan
Keypoints :
- APT28 is engaged in cyber espionage targeting Central Asia and Kazakhstan.
- The report analyzes a sample related to HATVIBE and CHERRYSPY infection chains.
- The malware sample is heavily obfuscated, complicating analysis and reverse engineering.
- Technical analysis involved using x32dbg and examining the sample’s behavior.
- The malware, implemented as an .hta file, primarily employs VBScript for malicious activities.
- Key communications involve a command-and-control (C2) server located at IP address 5.45.70.178.
- The payload collects victim information and sends it to the C2 server.
- Multiple rounds of deobfuscation revealed critical code responsible for the malware’s execution.
- Support for the continuation of malware analysis is encouraged.
MITRE Techniques :
- T1086: PowerShell – The malware leverages VBScript to execute commands.
- T1071.001: Application Layer Protocol: Web Protocols – The payload communicates over HTTP to the C2 server.
- T1133: External Remote Services – The sample uses mshta.exe to run the script, enabling external command execution.
Indicator of Compromise :
- [MD5] d0c3b49e788600ff3967f784eb5de973
- [SHA256] 332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725
- [MD5] 690fe881d288167fde157c6fb834c3ef
- [SHA256] 0fa7e3ffb8a9ca246cc1f1e3f6118ced7a7b785de510d777b316dfcefdddb0be
- [IP Address] 5.45.70.178
Full Story: https://malwareanalysisspace.blogspot.com/2025/02/unveiling-apt28s-heavily-obfuscated-hta.html