##### CYBER THREAT ANALYSIS By Insikt Group® **RUSSIA** November 21, 2024 # Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY **Insikt Group identified a cyber-** **Since July 2024, 62 victims of custom** **Similar to other recent Russian** **espionage campaign conducted by** **malware HATVIBE and CHERRYSPY** **APT campaigns, the group likely** **Russia-aligned TAG-110. This group** **have been found across eleven** **aims to gather intelligence to** overlaps with UAC-0063, which **countries, mostly in Central Asia,** **support Russia’s war in Ukraine** CERT-UA has attributed with moderate targeting government, human rights, and monitor geopolitical events ----- _Note: The analysis cut-off date for this report was August 7, 2024_ ## Executive Summary Insikt Group has identified an ongoing cyber-espionage campaign targeting organizations in Central Asia, East Asia, and Europe. This campaign is conducted by a Russia-aligned threat activity group Insikt Group tracks as TAG-110, which overlaps with UAC-0063 and which the Computer Emergency Response Team of Ukraine (CERT-UA) attributes with moderate confidence to the Russian cyber-espionage group BlueDelta (APT28). Targeted organizations include human rights groups, private security companies, and educational institutions. TAG-110 has been observed deploying the loader HATVIBE and the backdoor CHERRYSPY to conduct operations in this campaign. Initial access is suspected to come from malicious email attachments or exploitation of vulnerable web-facing services such as Rejetto HTTP File Server (HFS). Insikt Group followed responsible disclosure procedures in advance of this publication per Recorded Future's notification policy. ## Key Findings - TAG-110 (UAC-0063), which CERT-UA first [identified in May 2023 and attributed with moderate](https://cert.gov.ua/article/4697016) confidence to the Russian state-sponsored advanced persistent threat (APT) group BlueDelta (APT28), is a Russia-aligned threat activity group primarily targeting organizations in Central Asia. - Since July 2024, Insikt Group has identified 62 unique TAG-110 victims of custom malware HATVIBE and CHERRYSPY across eleven countries, with the vast majority of identified victims located in Central Asia. The targeted organizations were primarily in the government, human rights group, and education sectors. - This campaign aligns with historical UAC-0063 reporting, including the use of CHERRYSPY beginning in 2023 and the heavy focus on targets in Central Asia. - Similar to other recent Russian APT campaigns affecting the region, the group is likely seeking to acquire intelligence to bolster Russia’s military efforts in Ukraine and gather insights into geopolitical events in neighboring countries, especially as Moscow’s relations with its neighbors have suffered following its invasion of Ukraine. ## Background TAG-110 is a threat activity group that overlaps with the publicly reported group UAC-0063, which has [been linked to BlueDelta (APT28) with “medium confidence” by CERT-UA. TAG-110 has carried out](https://cert.gov.ua/article/6280129) espionage activities aligned with Russian state interests since [at least 2021. Previous reports](https://cert.gov.ua/article/4697016?fbclid=IwAR1B5gj0v-Ve9Q5299ydM5lrInLuKVmvPRosQkUucq6YzcjuTgVnM_x3LjQ) have detailed that TAG-110 primarily targets entities in Central Asia, alongside targets located in India, Israel, Mongolia, and Ukraine. Targeted sectors in these countries have historically been government, 1 CTA-RU-2024-1121 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 2 CTA-RU-2024-1121 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 3 CTA-RU-2024-1121 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 4 CTA-RU-2024-1121 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- HATVIBE will check whether the HTTP response payload data from the C2 starts with the string “sd5ddf3e3fg4gfds”. If this condition is met, HATVIBE will execute everything after this string as VBScript. HATVIBE C2 servers use virtual private server (VPS) infrastructure on various hosting providers and Namecheap for domain registration. A full breakdown can be found in Table 1 and Table 2. |IP Address|Autonomous System Name|Autonomous System Number| |---|---|---| |45.136.198[.]189|M247|9009| |45.136.198[.]18|M247|9009| |45.136.198[.]184|M247|9009| |194.31.55[.]131|AS-HOSTINGER|47583| |5.45.70[.]178|SCALAXY-AS|58061| **_Table 1: HATVIBE C2 IP infrastructure (Source: Recorded Future)_** |Domain|Registrar|Date Created| |---|---|---| |trust-certificate[.]net|Namecheap, Inc.|2024-07-09| |experience-improvement[.]com|Namecheap, Inc.|2024-07-16| |telemetry-network[.]com|Namecheap, Inc.|2023-10-06| |shared-rss[.]info|Namecheap, Inc.|2024-03-15| |game-wins[.]com|Namecheap, Inc.|2023-09-26| 5 CTA-RU-2024-1121 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- CHERRYSPY, upon execution, establishes a secure communication channel to a hard-coded C2 server through HTTP POST requests. It employs a combination of asymmetric (RSA) and symmetric (Advanced Encryption Standard [AES]) encryption algorithms for secure key exchange and confidential data transmission. Also included in this key exchange is “USR_KAF”, a hard-coded, 24-character ID, and the “USR_CRC”, an SHA-256 sum of the CHERRYSPY payload. An example of the HTTP POST from CHERRYSPY to its C2 server can be seen in Figure 6. ``` POST / HTTP/1.1 Accept-Encoding: identity Content-Length: 591 Host: : User-Agent: Content-Type: application/json; charset=utf-8 Connection: close {"USR_KAF": "", "USR_CRC": "", "USR_PUB": ""} ``` **_Figure 6: CHERRYSPY key exchange HTTP POST (Source: Recorded Future)_** The CHERRYSPY C2 server responds with an AES key and initialization vector (IV) used to encrypt and decrypt further communication. Also included in the response is the new value for “USR_KAF”, which is 32 characters long. An example of a successful key exchange response from a CHERRYSPY C2 server can be seen in Figure 7. 6 CTA-RU-2024-1121 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 7 CTA-RU-2024-1121 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 8 CTA-RU-2024-1121 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- |IP Address|Autonomous System Name|Autonomous System Number| |---|---|---| |212.224.86[.]69|DE-FIRSTCOLO|44066| |185.62.56[.]47|SNEL|62370| |84.32.188[.]23|CHERRYSERVERS2-AS|59642| |185.167.63[.]42|HOSTKEY-AS|57043| |46.183.219[.]228|DATACLUB|52048| |185.158.248[.]198|M247|9009| **_Table 3: CHERRYSPY C2 IP infrastructure (Source: Security Trails)_** |Domain|Registrar|Date Created| |---|---|---| |internalsecurity[.]us|Namecheap, Inc.|2023-12-22| |errorreporting[.]net|Namecheap, Inc.|2023-05-24| |lanmangraphics[.]com|Namecheap, Inc.|2023-10-05| |retaildemo[.]info|Namecheap, Inc.|2024-04-01| |tieringservice[.]com|Namecheap, Inc.|2024-02-26| |enrollmentdm[.]com|Namecheap, Inc.|2024-05-13| **_Table 4: CHERRYSPY C2 domain infrastructure (Source: SecurityTrails)_** ## Mitigations - Configure intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on—and upon review, consider blocking connection attempts to and from—the domains and IP addresses listed in **Appendix A.** **●** Use the Snort, Suricata, and YARA rules provided in **Appendices B, C, and D to alert on network** communications linked to HATVIBE and CHERRYSPY and search for infection in your network. - Use Process Monitor to monitor for Scheduled Tasks created via mshta.exe to detect HATVIBE’s attempts to establish persistence. Monitor and block execution of HTA files if they are not typically used in your environment. - Ensure prompt patching of vulnerable software. In particular, patch Rejetto HTTP File Server (HFS) to remediate the CVE-2024-23692 Template Injection vulnerability, which allows unauthenticated users to execute arbitrary commands via specially crafted HTTP requests. 9 CTA-RU-2024-1121 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ##### ● Enforce strong security awareness through proactive and interactive exercises, and train users to recognize phishing emails, exercise caution when clicking on links or opening attachments in emails, and enable multi-factor authentication (MFA) whenever possible. - Establish real-time alerts through Recorded Future’s [Digital Risk Protection solution to detect](https://www.recordedfuture.com/solutions/digital-risk) typosquatted domains that mimic your brands, and assess suspicious email attachments with our malware Intelligence. This proactive measure helps guard against threat actor groups that could exploit these domains for credential harvesting and phishing. - Use Recorded Future [Identity Intelligence to monitor, detect, and mitigate widespread credential](https://www.recordedfuture.com/products/identity-intelligence) leaks and theft, enhancing account protection. Additionally, you can monitor your companies’ exposures with Recorded Future’s [Attack Surface Intelligence.](https://www.recordedfuture.com/products/attack-surface-intelligence) - Monitor Insikt Group reporting for the latest threat actor tradecraft; tactics, techniques, and procedures (TTPs); targeting; and indicators of compromise (IoCs) to ensure you are informed of the threat. - Recorded Future users with the Threat Intelligence module can use the Advanced Query Builder to hunt for specific keywords, threat actors, code snippets, and other indicators associated with threat actors of interest. - Assess suspicious email attachments with Recorded Future Malware Intelligence for instant analysis to quickly understand the associated threats. Upload suspicious files to Recorded Future Triage for further analysis. - Participate in Recorded Future Collective Insights to harness the power of the Recorded Future Intelligence Cloud and customer signals to give visibility into threats based on your environment, industry, and in-the-wild incidents. - [Recorded Future Threat Intelligence (TI), Third-Party Intelligence, and SecOps Intelligence](https://www.recordedfuture.com/platform/threat-intelligence) [module](https://www.recordedfuture.com/license-options/) users can monitor real-time output from Network Intelligence analytics to identify suspected targeted intrusion activity involving your organization or key vendors and partners. ## Outlook Insikt Group anticipates that TAG-110 campaigns similar to those detailed in this report will continue in the near term, likely with a continued targeting focus on the post-Soviet Central Asian states along Russia’s periphery, as well as Ukraine and its supporting states. The Central Asian states may be particularly important to Moscow, as its relations with many post-Soviet states in the region have [deteriorated considerably following its invasion of Ukraine.](https://www.fpri.org/article/2023/02/russia-is-down-but-not-out-in-central-asia/) While CERT-UA’s moderate confidence attribution to BlueDelta cannot be confirmed at this time, TAG-110’s activity does overlap with BlueDelta’s strategic interests in the areas of national security, military operations, and geopolitical influence. 10 CTA-RU-2024-1121 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix A — Indicators of Compromise 11 CTA-RU-2024-1121 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix B — Snort Rule ## Appendix C — Suricata Rule ## Appendix D — YARA Rule 12 CTA-RU-2024-1121 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix E — MITRE ATT&CK Techniques |Appendix E — MITRE ATT&CK Techniques|Col2| |---|---| |Tactic: Technique|ATT&CK Code| |Resource Development: Acquire Infrastructure: Virtual Private Server|T1583.003| |Initial Access: Exploit Public-Facing Application|T1190| |Initial Access: Spearphishing Attachment|T1566.001| |Execution: Visual Basic|T1059.005| |Execution: Malicious File|T1204.002| |Persistence: Scheduled Task|T1053.005| |Defense Evasion: Encrypted/Encoded File|T1027.013| |Defense Evasion: System Binary Proxy Execution: Mshta|T1218.005| |Command-and-Control: Web Protocols|T1071.001| |Command-and-Control: Symmetric Cryptography|T1573.001| |Command-and-Control: Asymmetric Cryptography|T1573.002| 13 CTA-RU-2024-1121 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix F — Diamond Model of Intrusion Analysis 14 CTA-RU-2024-1121 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- _Recorded Future reporting contains expressions of likelihood or probability consistent_ _[with US Intelligence Community Directive (ICD) 203: Analytic Standards (published](https://irp.fas.org/dni/icd/icd-203.pdf)_ _January 2, 2015). Recorded Future reporting also uses confidence level standards_ _[employed by the US Intelligence Community to assess the quality and quantity of the](https://www.dni.gov/files/ODNI/documents/assessments/ICA-declass-16MAR21.pdf)_ _source information supporting our analytic judgments._ _About Insikt Group[®]_ _Recorded Future’s Insikt Group, the company’s threat research division, comprises_ _analysts and security researchers with deep government, law enforcement, military, and_ _intelligence agency experience. Their mission is to produce intelligence that reduces risk_ _for clients, enables tangible outcomes, and prevents business disruption._ _About Recorded Future[®]_ _Recorded Future is the world’s largest threat intelligence company. Recorded Future’s_ _Intelligence Cloud provides end-to-end intelligence across adversaries, infrastructure,_ _and targets. Indexing the internet across the open web, dark web, and technical_ _sources, Recorded Future provides real-time visibility into an expanding attack surface_ _and threat landscape, empowering clients to act with speed and confidence to reduce_ _risk and securely drive business forward. Headquartered in Boston with offices and_ _employees around the world, Recorded Future works with over 1,800 businesses and_ _government organizations across more than 75 countries to provide real-time, unbiased,_ _and actionable intelligence._ _Learn more at recordedfuture.com_ 15 CTA-RU-2024-1121 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) -----