Pierluigi Paganini November 25, 2024

Russia-linked threat actors TAG-110 employed custom malware HATVIBE and CHERRYSPY to target organizations in Asia and Europe.

Insikt Group researchers uncovered an ongoing cyber-espionage campaign by Russia-linked threat actor TAG-110 that employed custom malware tools HATVIBE and CHERRYSPY.

The campaign primarily targeted government entities, human rights groups, and educational institutions in Central Asia, East Asia, and Europe.

The researchers pointed out that the campaign’s tactics, techniques and procedures align with the historical operations of UAC-0063, attributed to Russian APT APT28 (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM).

The APT used HATVIBE loader to deliver malware like CHERRYSPY, threat actors often rely on malicious emails or exploited web vulnerabilities. HATVIBE uses obfuscation (e.g., XOR encryption) and persists via scheduled tasks with mshta.exe. The loader communicates with C2 servers via HTTP PUT, sharing system details.

CHERRYSPY, a Python backdoor, enables encrypted data exfiltration using RSA and AES. Used by TAG-110, it targets government and research entities to extract sensitive data and monitor systems.

“HATVIBE functions as a loader to deploy CHERRYSPY, a Python backdoor used for data exfiltration and espionage. Initial access is often achieved through phishing emails or exploiting vulnerable web-facing services like Rejetto HTTP File Server.” reads the report published by Insikt Group.

In May 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) warned of a cyberespionage campaign targeting state bodies as part of an espionage campaign conducted by a threat actor tracked as UAC-0063. The attackers employed both CHERRYSPY and HATVIBE, along with the keylogger LOGPIE and STILLARCH malware.

The nation-state actor, on April 18, 2023 and April 20, 2023, sent spear-phishing emails to the department’s e-mail address, supposedly from the official mailbox of the Embassy of Tajikistan in Ukraine.

Since July 2024, TAG-110 targeted at least 62 victims across eleven countries, with notable incidents in Kazakhstan, Kyrgyzstan, and Uzbekistan.

TAG-110’s operations align with Russia’s geopolitical interests, focusing on Central Asia to maintain influence amid strained relations. The researchers pointed out that intelligence gathered in these campaigns supports Russia’s military strategies and enhances understanding of regional dynamics.

“TAG-110 is expected to continue its cyber-espionage campaigns, focusing on post-Soviet Central Asian states, Ukraine, and Ukraine’s allies. These regions are significant to Moscow due to strained relations following Russia’s invasion of Ukraine.” concludes the report. “While TAG-110’s ties to BlueDelta remain unconfirmed, its activities align with BlueDelta’s strategic interests in national security, military operations, and geopolitical influence.”

The report includes Indicators of Compromise (IoCs) along with Snort and Yara rules,

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT28)