On March 16, 2023, SentinelLabs researchers reported the technical details of a cyberespionage campaign against government and telecommunications companies in multiple enterprises which they attribute to the Winter Vivern threat group.
Context
SentinelLabs researchers assess that current Winter Vivern activities align closely with Belarussian and Russian government interests. The SentinelLabs report is based on recent activity reported by the Polish CBZC, and then the Ukraine CERT as UAC-0114. In the current wave of activity, the group targeted government organizations in Lithuania, India, the Vatican, and Slovakia. In one case, the group targeted a telecommunications firm supportive of Ukraine in the current crisis. Prior activity attributed to the group targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and individuals within the Indian government.
According to the report, Winter Vivern leverages phishing websites, credential phishing, and malicious documents tailored to targeted organizations, then deploys custom loaders that enable remote access to sensitive data for exfiltration.
IOCs
SentinelLabs reported the following indicators of compromise (IOCs):
Indicator | Type |
bugiplaysec[.]com | Domain |
marakanas[.]com | Domain |
mfa_it_sec@outlook[.]com | Domain |
ocs-romastassec[.]com | Domain |
ocspdep[.]com | Domain |
security-ocsp[.]com | Domain |
troadsecow[.]com | Domain |
hxxps://applesaltbeauty[.]com/wordpress/wp-includes/widgets/classwp/521734i | URL |
hxxps://marakanas[.]com/Kkdn7862Jj6h2oDASGmpqU4Qq4q4.php | URL |
hxxps://natply[.]com/wordpress/wp-includes/fonts/ch/097214o | URL |
hxxps://ocs-romastassec[.]com/goog_comredira3cf7ed34f8.php | URL |
176.97.66[.]57 | IP |
179.43.187[.]175 | IP |
179.43.187[.]207 | IP |
195.54.170[.]26 | IP |
80.79.124[.]135 | IP |
0fe3fe479885dc4d9322b06667054f233f343e20 | File SHA1 |
83f00ee38950436527499769db5c7ecb74a9ea41 | File SHA1 |
a19d46251636fb46a013c7b52361b7340126ab27 | File SHA1 |
a574c5d692b86c6c3ee710af69fccbb908fe1bb8 | File SHA1 |
c7fa6727fe029c3eaa6d9d8bd860291d7e6e3dd0 | File SHA1 |
f39b260a9209013d9559173f12fbc2bd5332c52a | File SHA1 |
