Research (Insikt)

Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY

Posted: 21st November 2024
By: Insikt Group®

insikt-group-logo-updated-3-300x48.png

Summary

Insikt Group has identified an ongoing cyber-espionage campaign conducted by TAG-110, a Russia-aligned threat group targeting organizations in Central Asia, East Asia, and Europe. Using custom malware tools HATVIBE and CHERRYSPY, TAG-110 primarily attacks government entities, human rights groups, and educational institutions. The campaign’s tactics align with the historical activities of UAC-0063, attributed to Russian APT group BlueDelta (APT28). HATVIBE functions as a loader to deploy CHERRYSPY, a Python backdoor used for data exfiltration and espionage. Initial access is often achieved through phishing emails or exploiting vulnerable web-facing services like Rejetto HTTP File Server.

TAG-110’s efforts are likely part of a broader Russian strategy to gather intelligence on geopolitical developments and maintain influence in post-Soviet states. Insikt Group provides actionable insights, including indicators of compromise and Snort and YARA rules, to help organizations.


Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY

Advanced persistent threat (APT) groups aligned with nation-states continue to execute sophisticated campaigns to fulfill strategic objectives. Insikt Group recently identified a Russia-aligned cyber-espionage campaign conducted by TAG-110 targeting organizations across Central Asia, East Asia, and Europe. This group deploys custom malware, including HATVIBE and CHERRYSPY, to conduct operations aligned with Russian geopolitical interests.

Key Findings

  • TAG-110 Overview: A threat group overlapping with UAC-0063, TAG-110 is linked to the Russian APT group BlueDelta (APT28) with moderate confidence.
  • Targets: Governments, human rights groups, and educational institutions in Central Asia and neighboring regions.
  • Malware Used: HATVIBE, a custom HTML application loader, and CHERRYSPY, a Python-based backdoor, are central to the campaign.
  • Scale of Impact: Since July 2024, 62 victims across eleven countries have been identified, with notable incidents in Kazakhstan, Kyrgyzstan, and Uzbekistan.

HATVIBE

HATVIBE serves as a loader for deploying additional malware like CHERRYSPY. Delivered via malicious email attachments or exploited web-facing vulnerabilities, it achieves persistence through scheduled tasks executed by the mshta.exe utility.

HATVIBE’s obfuscation techniques include VBScript encoding and XOR encryption. Once deployed, it communicates with command-and-control (C2) servers using HTTP PUT requests, providing critical system details.

CHERRYSPY

CHERRYSPY, a Python-based backdoor, complements HATVIBE by enabling secure data exfiltration. It uses robust encryption methods, including RSA and Advanced Encryption Standard (AES), to establish communication with its C2 servers. TAG-110 uses CHERRYSPY to monitor victims’ systems and extract sensitive information, often targeting government and research entities.

Campaign Objectives

TAG-110’s activities align with Russia’s geopolitical objectives, particularly in Central Asia, where Moscow seeks to maintain influence amid strained relations. Intelligence gathered through these campaigns likely aids in bolstering Russia’s military efforts and understanding regional dynamics.

Mitigation Strategies

To defend against TAG-110 and similar threats, organizations should:

  1. Monitor for Indicators of Compromise (IoCs): Use intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and network defense tools to detect malicious domains and IPs associated with TAG-110.
  2. Deploy Detection Rules: Leverage Snort, Suricata, and YARA rules for identifying HATVIBE and CHERRYSPY-related activities.
  3. Patch Vulnerabilities: Ensure timely updates of software to prevent exploitation of known vulnerabilities like CVE-2024-23692.
  4. Enhance Threat Awareness: Train employees to recognize phishing attempts and enforce multi-factor authentication.
  5. Leverage Intelligence Tools: Use Recorded Future’s solutions for digital risk protection, credential monitoring, and real-time threat intelligence.

Outlook

TAG-110 is expected to continue its cyber-espionage campaigns, focusing on post-Soviet Central Asian states, Ukraine, and Ukraine’s allies. These regions are significant to Moscow due to strained relations following Russia's invasion of Ukraine. While TAG-110’s ties to BlueDelta remain unconfirmed, its activities align with BlueDelta’s strategic interests in national security, military operations, and geopolitical influence.

To read the entire analysis, click here to download the report as a PDF.

Appendix A — Indicators of Compromise

C2 Domains:
enrollmentdm[.]com
errorreporting[.]net
experience-improvement[.]com
game-wins[.]com
internalsecurity[.]us
lanmangraphics[.]com
retaildemo[.]info
shared-rss[.]info
telemetry-network[.]com
tieringservice[.]com
trust-certificate[.]net

C2 IP Addresses:
5.45.70[.]178
45.136.198[.]18
45.136.198[.]184
45.136.198[.]189
46.183.219[.]228
84.32.188[.]23
185.62.56[.]47
185.158.248[.]198
185.167.63[.]42
194.31.55[.]131
212.224.86[.]69



Appendix B — Mitre ATT&CK Techniques

Tactic: Technique ATT&CK Code
Resource Development: Acquire Infrastructure: Virtual Private Server T1583.003
Initial Access: Exploit Public-Facing Application T1190
Initial Access: Spearphishing Attachment T1566.001
Execution: Visual Basic T1059.005
Execution: Malicious File T1204.002
Persistence: Scheduled Task T1053.005
Defense Evasion: Encrypted/Encoded File T1027.013
Defense Evasion: System Binary Proxy Execution: Mshta T1218.005
Command-and-Control: Web Protocols T1071.001
Command-and-Control: Symmetric Cryptography T1573.001
Command-and-Control: Asymmetric Cryptography T1573.002

Related