HQ/EMEAFind out how we can help your business
European organisations and telecommunication service providers are alerted about the relatively new advanced persistent threat (APT) group, Winter Vivern, said to be conducting cyberespionage campaigns. Experts believe the group is a pro-Russian APT since their interests align with the Russian and Belarusian governments.
First spotted in 2021, the Winter Vivern APT initially struck organisations from India, Slovakia, Lithuania, Poland, Ukraine, Italy, and the Vatican. Some organisations spotted to have been attacked by the group are high-profile state agencies and telecom firms that support Ukraine against Russia’s invasion.
Many of the APT group’s phishing campaigns involved establishing fake websites of the Ukraine Ministry of Foreign Affairs, the Security Service of Ukraine, and Poland’s Central Bureau for Combating Cybercrime. Visitors who end up on these attacker-controlled sites – usually those that click links from phishing emails – are injected with malicious files or malware.
Winter Vivern APT uses Windows batch files posing as AV scanners that hide malware.
In other cases of the APT group’s activities, they were seen using Windows batch files posing as antivirus applications, wherein it would seem like an AV scan is ongoing, but malware is actually being downloaded on the victims’ systems.
During the fake antivirus scan, a running percentage of the time left before the process gets completed is shown. Little did the victim know, a malicious payload, which researchers named ‘Aperetif,’ was furtively getting installed in the background via PowerShell.
Hosted via WordPress, the Aperetif malware can scan and collect files automatically and send all exfiltrated files to the threat actors’ remote C2 server. Another payload yet to be identified is also used by the Winter Vivern APT and features the same capabilities as Aperetif malware. However, this second payload is assumed to be a work in progress as it was found with an unfinished design.
Security experts warn that the activities of this APT group are relatively simple but are effective in luring victims into downloading malware and additional payloads into their machines. Thus, high-profile organisations and telco firms must be on the lookout for threats from the gang and apply maximum cybersecurity protections in their infrastructures.
