Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY
Summary
Insikt Group has identified an ongoing cyber-espionage campaign conducted by TAG-110, a Russia-aligned threat group targeting organizations in Central Asia, East Asia, and Europe. Using custom malware tools HATVIBE and CHERRYSPY, TAG-110 primarily attacks government entities, human rights groups, and educational institutions. The campaign’s tactics align with the historical activities of UAC-0063, attributed to Russian APT group BlueDelta (APT28). HATVIBE functions as a loader to deploy CHERRYSPY, a Python backdoor used for data exfiltration and espionage. Initial access is often achieved through phishing emails or exploiting vulnerable web-facing services like Rejetto HTTP File Server.
TAG-110’s efforts are likely part of a broader Russian strategy to gather intelligence on geopolitical developments and maintain influence in post-Soviet states. Insikt Group provides actionable insights, including indicators of compromise and Snort and YARA rules, to help organizations.
Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY
Advanced persistent threat (APT) groups aligned with nation-states continue to execute sophisticated campaigns to fulfill strategic objectives. Insikt Group recently identified a Russia-aligned cyber-espionage campaign conducted by TAG-110 targeting organizations across Central Asia, East Asia, and Europe. This group deploys custom malware, including HATVIBE and CHERRYSPY, to conduct operations aligned with Russian geopolitical interests.
Key Findings
- TAG-110 Overview: A threat group overlapping with UAC-0063, TAG-110 is linked to the Russian APT group BlueDelta (APT28) with moderate confidence.
- Targets: Governments, human rights groups, and educational institutions in Central Asia and neighboring regions.
- Malware Used: HATVIBE, a custom HTML application loader, and CHERRYSPY, a Python-based backdoor, are central to the campaign.
- Scale of Impact: Since July 2024, 62 victims across eleven countries have been identified, with notable incidents in Kazakhstan, Kyrgyzstan, and Uzbekistan.
HATVIBE
HATVIBE serves as a loader for deploying additional malware like CHERRYSPY. Delivered via malicious email attachments or exploited web-facing vulnerabilities, it achieves persistence through scheduled tasks executed by the mshta.exe utility.
HATVIBE’s obfuscation techniques include VBScript encoding and XOR encryption. Once deployed, it communicates with command-and-control (C2) servers using HTTP PUT requests, providing critical system details.
CHERRYSPY
CHERRYSPY, a Python-based backdoor, complements HATVIBE by enabling secure data exfiltration. It uses robust encryption methods, including RSA and Advanced Encryption Standard (AES), to establish communication with its C2 servers. TAG-110 uses CHERRYSPY to monitor victims’ systems and extract sensitive information, often targeting government and research entities.
Campaign Objectives
TAG-110’s activities align with Russia’s geopolitical objectives, particularly in Central Asia, where Moscow seeks to maintain influence amid strained relations. Intelligence gathered through these campaigns likely aids in bolstering Russia’s military efforts and understanding regional dynamics.
Mitigation Strategies
To defend against TAG-110 and similar threats, organizations should:
- Monitor for Indicators of Compromise (IoCs): Use intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and network defense tools to detect malicious domains and IPs associated with TAG-110.
- Deploy Detection Rules: Leverage Snort, Suricata, and YARA rules for identifying HATVIBE and CHERRYSPY-related activities.
- Patch Vulnerabilities: Ensure timely updates of software to prevent exploitation of known vulnerabilities like CVE-2024-23692.
- Enhance Threat Awareness: Train employees to recognize phishing attempts and enforce multi-factor authentication.
- Leverage Intelligence Tools: Use Recorded Future’s solutions for digital risk protection, credential monitoring, and real-time threat intelligence.
Outlook
TAG-110 is expected to continue its cyber-espionage campaigns, focusing on post-Soviet Central Asian states, Ukraine, and Ukraine’s allies. These regions are significant to Moscow due to strained relations following Russia's invasion of Ukraine. While TAG-110’s ties to BlueDelta remain unconfirmed, its activities align with BlueDelta’s strategic interests in national security, military operations, and geopolitical influence.
To read the entire analysis, click here to download the report as a PDF.
Appendix A — Indicators of Compromise
C2 Domains: enrollmentdm[.]com errorreporting[.]net experience-improvement[.]com game-wins[.]com internalsecurity[.]us lanmangraphics[.]com retaildemo[.]info shared-rss[.]info telemetry-network[.]com tieringservice[.]com trust-certificate[.]net C2 IP Addresses: 5.45.70[.]178 45.136.198[.]18 45.136.198[.]184 45.136.198[.]189 46.183.219[.]228 84.32.188[.]23 185.62.56[.]47 185.158.248[.]198 185.167.63[.]42 194.31.55[.]131 212.224.86[.]69 |
Appendix B — Mitre ATT&CK Techniques
Tactic: Technique | ATT&CK Code |
Resource Development: Acquire Infrastructure: Virtual Private Server | T1583.003 |
Initial Access: Exploit Public-Facing Application | T1190 |
Initial Access: Spearphishing Attachment | T1566.001 |
Execution: Visual Basic | T1059.005 |
Execution: Malicious File | T1204.002 |
Persistence: Scheduled Task | T1053.005 |
Defense Evasion: Encrypted/Encoded File | T1027.013 |
Defense Evasion: System Binary Proxy Execution: Mshta | T1218.005 |
Command-and-Control: Web Protocols | T1071.001 |
Command-and-Control: Symmetric Cryptography | T1573.001 |
Command-and-Control: Asymmetric Cryptography | T1573.002 |
Related