Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


New Hive0117 Threat Group Impersonates Russian Agencies

Researchers at IBM X-Force recently identified a new phishing campaign most likely conducted by a financially motivated threat group, currently labelled as Hive0117.  The campaign spoofs Russian Dept of Justice email addresses and official communications, specifically purporting to be emails from Russian Government’s Federal Bailiffs Service.  The Russian-language emails are addressed to members of organizations, often company owners or other individuals with elevated access, in Lithuania, Estonia, and Russia in the Telecommunications, Electronic and Industrial sectors.  These targeted organizations include subsidiaries of international companies operating in those regions.  The emails contain zip files with Russian language names such as “Performance List”, “Writ of Execution”, and “Invoice”, which subsequently load the DarkWatchman JavaScript backdoor.  The attacks predate the Ukraine-Russia war, beginning in February 2022, and currently are not attributed by X-Force researchers to state sponsored activity.

Analyst Notes

Hive0117 is currently classified as a financially motivated threat group employing moderately sophisticated strategies. It is likely that the telecommunications and other industry targets are intended to create a foundation for further compromise of companies and government organizations both local to the current region of operations in Eastern Europe and also global in scope. For example, subsidiaries of international companies in Eastern Europe can be compromised in order to compromise the parent company or sister subsidiaries elsewhere. Moreover, such compromise may extend to end clients and corporate partners as well.

In the current threat environment, attacks by financially motivated threat groups have an elevated likelihood in many organization’s threat models, particularly those that provide essential infrastructure services who may pay for data extortion and ransom. Supply chain attacks have been documented as a favored method of evading defensive controls and mitigations: by installing backdoors into trusted software or hardware, threat groups with the appropriate resources gain the ability to evade perimeter defenses. In addition, other trusted relationships such as counterparties, suppliers, contracted vendors, et al., are also at risk for Business Email Compromise (BEC) and other attempts to take advantage of trusted access. For this reason, smaller organizations are also at elevated risk as potential stepping-stones for compromising larger organizations. Organizations are advised to adopt increased vigilance and move toward zero-trust methodologies, as well as investing in comprehensive defense-in-depth and post-exploitation detection strategies – such as those offered by Binary Defense.

Hive0117 continues fileless malware delivery in Eastern Europe