An advanced hacking group named ‘Winter Vivern’ targets European government organizations and telecommunication service providers to conduct espionage. The group’s activities align with the interests of the Russian and Belarusian governments, so it is believed that this is a pro-Russian APT (advanced persistent threat) group. SentinelLabs reports that the threat group functions on limited resources; however, their creativity compensates for these limitations. Winter Vivern was first documented by DomainTools in 2021 when it was seen targeting government organizations in Lithuania, Slovakia, the Vatican, and India. In more recent campaigns seen by Sentinel Labs, the hackers target individuals working in the governments of Poland, Italy, Ukraine, and India. In addition to high-profile state targets, the hackers have also targeted telecommunication companies, such as those supporting Ukraine since the Russian invasion. Starting in early 2023, the hackers created webpages that mimicked those of Poland’s Central Bureau for Combating Cybercrime, the Ukraine Ministry of Foreign Affairs, and the Security Service of Ukraine. These sites distribute malicious files to visitors who end up there by clicking on links in malicious emails. One example of Winter Vivern’s resourcefulness in the Sentinel Labs report is the use of Windows batch files to impersonate antivirus scanners while, in reality, visitors download malicious payloads. The payload delivered through this process is named “Aperetif,” which the Ukrainian CERT documented in detail in a February 2023 report. The malware is hosted on compromised WordPress websites, which are commonly used for malware distribution campaigns. The Aperetif malware is capable of automatic file scanning and exfiltration, taking screenshots and sending all data in a base64-encoded form to a hardcoded command and control server URL (marakanas[.]com). In conclusion, Winter Vivern is a group that uses a relatively simplistic yet effective approach to lure its targets into downloading malicious files. At the same time, their low profile has helped them stay under-reported.
To protect best against a campaign such as this, it is recommended to provide user education into common phishing tactics as well as overall emerging cybersecurity risks and vulnerabilities. It is important to employ a defense-in-depth strategy to detect this activity at a different portion of the attack chain, such as detecting lateral movement or reconnaissance activity. Binary Defense’s MDR and Threat Hunting services are an excellent solution to assist with such a program.