HATVIBE and CHERRYSPY Malware

Threat actors with ties to Russia have been linked to a cyber espionage campaign aimed at organizations in Central Asia, East Asia, and Europe.

Recorded Future's Insikt Group, which has assigned the activity cluster the name TAG-110, said it overlaps with a threat group tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0063, which, in turn, overlaps with APT28. The hacking crew has been active since at least 2021.

"Using custom malware tools HATVIBE and CHERRYSPY, TAG-110 primarily attacks government entities, human rights groups, and educational institutions," the cybersecurity company said in a Thursday report. "HATVIBE functions as a loader to deploy CHERRYSPY, a Python backdoor used for data exfiltration and espionage."

Cybersecurity

TAG-110's use of HATVIBE and CHERRYSPY was first documented by CERT-UA back in late May 2023 in connection with a cyber attack targeting state agencies in Ukraine. Both the malware families were again spotted over a year later in an intrusion of an unnamed scientific research institution in the country.

As many as 62 unique victims across eleven countries have been identified since then, with notable incidents in Tajikistan, Kyrgyzstan, Kazakhstan, Turkmenistan, and Uzbekistan, indicating that Central Asia is a primary area of focus for the threat actor in a likely attempt to gather intelligence that informs Russia's geopolitical objectives in the region.

A smaller number of victims have also been detected in Armenia, China, Hungary, India, Greece, and Ukraine.

HATVIBE and CHERRYSPY Malware

Attack chains involve the exploitation of security flaws in public-facing web applications (e.g., Rejetto HTTP File Server) and phishing emails as an initial access vector to drop HATVIBE, a bespoke HTML application loader that serves as a conduit to deploy the CHERRYSPY backdoor for data gathering and exfiltration.

"TAG-110's efforts are likely part of a broader Russian strategy to gather intelligence on geopolitical developments and maintain influence in post-Soviet states," Recorded Future said. "These regions are significant to Moscow due to strained relations following Russia's invasion of Ukraine."

Russia is also believed to have ramped up its sabotage operations across European critical infrastructure following its full-scale invasion of Ukraine in February 2022, targeting Estonia, Finland, Latvia, Lithuania, Norway, and Poland with the goal of destabilizing NATO allies and disrupting their support for Ukraine.

Cybersecurity

"These covert activities align with Russia's broader hybrid warfare strategy, aiming to destabilize NATO countries, weaken their military capabilities, and strain political alliances," Recorded Future said, describing the efforts as "calculated and persistent."

"As relations between Russia and the West will almost certainly remain fraught, Russia is very likely to increase the destructiveness and lethality of its sabotage operations without crossing the threshold of war with NATO as discussed in the Gerasimov doctrine. These physical attacks will likely complement Russian efforts in the cyber and influence operations realm in line with Russia's hybrid war doctrine."


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.