Russia-linked threat actors UAC-0063 is targeting Kazakhstan as part of a cyber espionage campaign to gather economic and political intelligence in Central Asia.
The Computer Emergency Response Team of Ukraine (CERT-UA) first detailed the activity of UAC-0063 in early 2023.
The group targeted government entities in Ukraine, Central Asia, East Asia, and Europe. The group’s arsenal includes multiple malware families such as HATVIBE, CHERRYSPY, and STILLARCH (aka DownEx).
During a state visit to Kazakhstan on November 27, 2024, President Putin emphasized ties with the country. The experts observed a cyber espionage campaign using weaponized Kazakh Ministry of Foreign Affairs documents to gather intelligence on Central Asia’s diplomatic and economic ties. Sekoia attributes the attacks to Russia-linked UAC-0063, overlapping with APT28.
Upon enabling the macro in the weaponized documents, the malicious code creates a second blank document in the C:\Users\[USER]\AppData\Local\Temp\ folder. The document is populated from variables present in the settings.xml of the first document and weaponized by adding a malicious macro to it.
The macro launches a hidden Microsoft Word instance to open the second malicious document, which will execute its macro in a stealth way after the AccessVBOM registry key has been modifies.
“This document was weaponized on 13 September 2024 with a malicious macro aimed at creating another malicious document.” reads the report published by Sekoia. “This second document is automatically opened in an hidden Word instance by the initial macro, to drop and execute a malicious HTA (HTML Application) file embedding a VBS backdoor nicknamed “HATVIBE” by the CERT-UA. As this infection chain is pretty unique, we named it Double-Tap and decided to take a look at it.”
HATVIBE acts as a loader, it downloads VBS modules leading to the deployment of the Python backdoor CHERRYSPY.
The Double-Tap campaign, similar to Zebrocy infections, uses VBA scripts, registry modifications, and scheduled tasks for persistence. UAC-0063 links the the activity to the GRU’s APT28 group.
“What makes this Double-Tap infection chain quite unique is that it employs many tricks to bypass security solutions such as storing the real malicious macro code in the settings.xml file and creating a scheduled task without spawning schtasks.exe for the second document or using, for the first document, an anti-emulation trick aimed to see if the execution time has not been altered, otherwise the macro is stopped.” continues the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT28)