23 July 2024

Russia-linked hackers exploit critical Rejetto flaw to drop Hatvibe backdoor


Russia-linked hackers exploit critical Rejetto flaw to drop Hatvibe backdoor

The Governmental Computer Emergency Response Team of Ukraine (CERT-UA) has shared technical details of a cyberattack orchestrated by the UAC-0063 group against a Ukrainian research institution that utilized malicious software known as Hatvibe and Cherryspy.

During the initial compromise stage, the attacker accessed an employee's email account and sent a copy of a recently sent email to dozens of recipients, including the original sender. The attached document in the email was replaced with another document containing an embedded macro.

If the DOCX document was opened and the macro activated, it would create and open another document (DOC) with a macro. This macro would then generate an encoded HTA file of the HATVIBE malware "RecordsService" on the infected machine, as well as a scheduled task file "C:\Windows\System32\Tasks\vManage\StandaloneService" to execute the malware.

Exploiting this hidden remote control capability, the attackers later downloaded a Python interpreter and the Cherryspy malware file into the "C:\ProgramData\Python" directory on the infected computer. Unlike its previous version obfuscated with pyArmor, this iteration was compiled into a .pyd (DLL) file.

The activities tracked under identifier UAC-0063 are moderately confidently associated with the APT28 group (UAC-0001), directly linked to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Additionally, a DOCX document with a similar macro was found on VirusTotal, uploaded from Armenia on July 16, 2024.

The document's decoy content included a distorted text purportedly addressed to the Defense Policy Department of the Ministry of Defense of the Republic of Armenia from the International Military Cooperation Department of the Ministry of Defense of the Kyrgyz Republic.

In June 2024, numerous instances of Hatvibe backdoor installation were recorded, exploiting a vulnerability (CVE-2024-23692) in the HFS HTTP File Server software. The flaw is a template injection issue that can allow remote code execution.

Back to the list

Latest Posts

What is Vulnerability Management? A Beginner's Guide

What is Vulnerability Management? A Beginner's Guide

In this article will try to cover basics of vulnerability management process and why it is important to every company.
11 September 2024
Cyber Security Week in Review: September 6, 2024

Cyber Security Week in Review: September 6, 2024

In brief: the US charges Russian GRU hackers for attacks on Ukraine, Apache, Cisco, Zyxel patch high-risk flaws, Google fixes Android zero-day, and more.
6 September 2024
Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Some of the documents appeared to be part of legitimate Red Team exercises, while other were intended for malicious purposes.
5 September 2024
Popular Posts
Featured vulnerabilities
Deserialization of Untrusted Data in Cleanlab
High Not Patched | 16 Sep, 2024
Multiple vulnerabilities in VICIdial
High Patched | 16 Sep, 2024
Multiple vulnerabilities in Dell NetWorker Runtime Environment(NRE)
Medium Patched | 16 Sep, 2024
Sequence of processor instructions leads to unexpected behavior in Dell PowerSwitch Z9664F-ON
Low Patched | 16 Sep, 2024
Multiple vulnerabilities in IBM Tivoli Application Dependency Discovery Manager
Medium Patched | 16 Sep, 2024