There is no shortage of bold and brazen APT groups operating in the interests of the Russian government, and many of them are not too concerned with staying under the radar. But there is a lesser-known team that has been targeting government and private organizations in Ukraine, Poland, and other countries, especially those organizations that are supporting Ukraine in its defense against the Russian invasion.
The group is known as Winter Vivern and was first exposed by researchers at Domain Tools in 2021 when they came across malicious documents used in campaigns targeting organizations in a number of countries, including Lithuania, the Vatican, Italy, Ukraine, and India. Since then, the group has remained relatively unexamined as compared to other APT teams, but researchers from SentinelOne recently uncovered some attacks targeting Ukrainian and Polish organizations, including a telecommunications company.
The campaigns typically use phishing lures that are modified versions of legitimate government documents of particular interest to the intended target. They also sometimes create copies of legitimate government websites to phish for credentials. The targeting is by no means random.
“In early 2023, Winter Vivern targeted specific government websites by creating individual pages on a single malicious domain that closely resembled those of Poland's Central Bureau for Combating Cybercrime, the Ukraine Ministry of Foreign Affairs, and the Security Service of Ukraine,” a new analysis by Tom Hegel of SentinelOne’s SentinelLabs says.
“Looking back at less recent activity, we can see in December 2022 the group likely targeted individuals associated with the Hochuzhit.com (“I Want to Live”) project, the Ukraine government website offering guidance and instructions to Russian and Belarus Armed Forces seeking to voluntarily surrender in the war. In these attacks the threat actor made use of macro-enabled Excel Spreadsheet to infect the target.”
Winter Vivern uses a variety of tools in its operations, including some legitimate Windows utilities. But it also has some of its own malware at its disposal. One tool is known as Aperetif and is disguised as a malware scanner.
“APERETIF is a trojan, automating the collection of victim details, maintaining access, and beaconing outbound the actor controlled domain marakanas[.]com. As with the previous script, the trojan makes use of WHOAMI within PowerShell in its initial activity to beacon outbound for further instructions and/or downloads,” Hegel said.
To deliver Aperetif, Winter Vivern used compromised WordPress sites, but the group also has demonstrated the ability to exploit vulnerabilities for initial access.
“Their ability to lure targets into the attacks, and their targeting of governments and high-value private businesses demonstrate the level of sophistication and strategic intent in their operations. The dynamic set of TTPs and their ability to evade the public eye has made them a formidable force in the cyber domain,” Hegel said.
The SentinelOne researchers said that Winter Vivern may not be one of the noisier APT teams, but it appears to be doing its job, which is supporting the interests of the Russian and Belorussian governments.
“Our analysis indicates that Winter Vivern's activities are closely aligned with global objectives that support the interests of Belarus and Russia's governments,” Hegel said.